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Foreword 


The  Federal  Information  Processing  Standards  Publication  Series  of  the  National  Institute  of 
Standards  and  Technology  (NIST)  is  the  official  series  of  publications  relating  to  standards  and 
guidelines  adopted  and  promulgated  under  the  provisions  of  Section  5131  of  the  Information 
Technology  Management  Reform  Act  of  1996  (Public  Law  104-106),  and  the  Computer  Security 
Act  of  1987  (Public  Law  100-235).  These  mandates  have  given  the  Secretary  of  Commerce  and 
NIST  important  responsibilities  for  improving  the  utilization  and  management  of  computer  and 
related  telecommunications  systems  in  the  Federal  Government.  The  NIST,  through  its  Information 
Technology  Laboratory,  provides  leadership,  technical  guidance,  and  coordination  of  Government 
efforts  in  the  development  of  standards  and  guidelines  in  these  areas. 

Comments  concerning  Federal  Information  Processing  Standards  Publications  are  welcomed  and 
should  be  addressed  to  the  Director,  Information  Technology  Laboratory,  National  Institute  of 
Standards  and  Technology,  100  Bureau  Dr.  Stop  8900,  Gaithersburg,  MD  20899-8900. 


William  Mehuron,  Director 
Information  Technology  Laboratory 


Abstract 

This  standard  specifies  a  suite  of  algorithms  which  can  be  used  to  generate  a  digital  signature. 
Digital  signatures  are  used  to  detect  unauthorized  modifications  to  data  and  to  authenticate  the 
identity  of  the  signatory.  In  addition,  the  recipient  of  signed  data  can  use  a  digital  signature  in 
proving  to  a  third  party  that  the  signature  was  in  fact  generated  by  the  signatory.  This  is  known  as 
nonrepudiation  since  the  signatory  cannot,  at  a  later  time,  repudiate  the  signature. 

Key  words:  ADP  security,  computer  security,  digital  signatures,  public-key  cryptography.  Federal 
Information  Processing  Standards. 
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Federal  Information 
Processing  Standards  Publication  186-2 

2000  January  27 

Announcing  the 

DIGITAL  SIGNATURE  STANDARD  (DSS) 


Federal  Information  Processing  Standards  Publications  (FIPS  PUBS)  are  issued  by  the  National 
Institute  of  Standards  and  Technology  (NIST)  after  approval  by  the  Secretary  of  Commerce  pursuant 
to  Section  5131  of  the  Information  Technology  Management  Reform  Act  of  1996  (Public  Law  104- 
106),  and  the  Computer  Security  Act  of  1987  (Public  Law  100-235). 

Name  of  Standard:  Digital  Signature  Standard  (DSS). 

Category  of  Standard:  Computer  Security,  Cryptography. 

Explanation:  This  Standard  specifies  algorithms  appropriate  for  applications  requiring  a  digital, 
rather  than  written,  signature.  A  digital  signature  is  represented  in  a  computer  as  a  string  of  binary 
digits.  A  digital  signature  is  computed  using  a  set  of  rules  and  a  set  of  parameters  such  that  the 
identity  of  the  signatory  and  integrity  of  the  data  can  be  verified.  An  algorithm  provides  the 
capability  to  generate  and  verify  signatures.  Signature  generation  makes  use  of  a  private  key  to 
generate  a  digital  signature.  Signature  verification  makes  use  of  a  public  key  which  corresponds  to, 
but  is  not  the  same  as,  the  private  key.  Each  user  possesses  a  private  and  public  key  pair.  Public 
keys  are  assumed  to  be  known  to  the  public  in  general.  Private  keys  are  never  shared.  Anyone  can 
verify  the  signature  of  a  user  by  employing  that  user's  public  key.  Signature  generation  can  be 
performed  only  by  the  possessor  of  the  user's  private  key. 

A  hash  function  is  used  in  the  signature  generation  process  to  obtain  a  condensed  version  of  data, 
called  a  message  digest  (see  Figure  1).  The  message  digest  is  then  input  to  the  digital  signature  (ds) 
algorithm  to  generate  the  digital  signature.  The  digital  signature  is  sent  to  the  intended  verifier  along 
with  the  signed  data  (often  called  the  message).  The  verifier  of  the  message  and  signature  verifies 
the  signature  by  using  the  sender's  public  key.  The  same  hash  function  must  also  be  used  in  the 
verification  process.  The  hash  function  is  specified  in  a  separate  standard,  the  Secure  Hash  Standard 
(SHS),  FIPS  180-1.  FIPS  approved  ds  algorithms  must  be  implemented  with  the  SHS.  Similar 
procedures  may  be  used  to  generate  and  verify  signatures  for  stored  as  well  as  transmitted  data. 
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Approving  Authority;  Secretary  of  Commerce. 

Maintenance  Agency:  U.S.  Department  of  Commerce,  National  Institute  of  Standards  and 
Technology  (NIST),  Information  Technology  Laboratory  (ITL). 

Applicability:  This  standard  is  applicable  to  all  Federal  departments  and  agencies  for  the  protection 
of  sensitive  unclassified  information  that  is  not  subject  to  section  2315  of  Title  10,  United  States 
Code,  or  section  3502(2)  of  Title  44,  United  States  Code.  This  standard  shall  be  used  in  designing 
and  implementing  public-key  based  signature  systems  that  Federal  departments  and  agencies  operate 
or  which  are  operated  for  them  under  contract.  Adoption  and  use  of  this  standard  is  available  to 
private  and  commercial  organizations. 

Applications:  A  digital  signature  (ds)  algorithm  authenticates  the  integrity  of  the  signed  data  and 
the  identity  of  the  signatory.  A  ds  algorithm  may  also  be  used  in  proving  to  a  third  party  that  data 
was  actually  signed  by  the  generator  of  the  signature.  A  ds  algorithm  is  intended  for  use  in  electronic 
mail,  electronic  funds  transfer,  electronic  data  interchange,  software  distribution,  data  storage,  and 
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other  applications  that  require  data  integrity  assurance  and  data  origin  authentication.  The 
techniques  specified  in  ANSI  X9.31  and  ANSI  X9.62  may  be  used  in  addition  to  the  Digital 
Signature  Algorithm  (DSA)  specified  herein.  (NIST  editorial  note:  either  DSA,  RSA  [ANSI  X9.3 1], 
or  ECDSA  [ANSI  X9.62]  may  be  used;  all  three  do  not  have  to  be  implemented.) 

Implementations:  A  ds  algorithm  may  be  implemented  in  software  firmware,  hardware  or  any 
combination  thereof.  NIST  has  developed  a  validation  program  to  test  implementations  for 
conformance  to  DSA.  Currently,  conformance  tests  for  ANSI  X9.3 1  and  ANSI  X9.62  have  not  been 
developed.  These  tests  will  be  developed  and  made  available  in  the  future.  Information  about  the 
planned  validation  program  can  be  obtained  from  the  National  Institute  of  Standards  and 
Technology,  Information  Technology  Laboratory,  Attn:  DSS  Validation,  100  Bureau  Drive  Stop 
8930,  Gaithersburg,  MD  20899-8930. 

Agencies  are  advised  that  separate  keys  should  be  used  for  signature  and  confidentiality  purposes 
when  using  the  X9.3 1  standard.  This  is  because  the  RSA  algorithm  can  be  used  for  both  data 
encryption  and  digital  signature  purposes. 

Export  Control:  Certain  cryptographic  devices  and  technical  data  regarding  them  are  subject  to 
Federal  export  controls.  Applicable  Federal  government  export  controls  are  specified  in  Title  15, 
Code  of  Federal  Regulations  (CFR)  Part  740.17;  Title  15,  CFR  Part  742;  and  Title  15,  CFR  Part  774, 
Category  5,  Part  2. 

Patents:  The  algorithms  in  this  standard  may  be  covered  by  U.S.  or  foreign  patents. 

Implementation  Schedule:  This  standard  becomes  effective  July  27,  2000.  A  transition  period  from 
July  27,  2000  until  July  27,  2001  is  provided  to  enable  all  agencies  to  develop  plans  for  the 
acquisition  of  equipment  which  implements  the  digital  signature  techniques  adopted  by  FIPS  186-2. 
During  the  transition  period,  agencies  may  continue  to  use  their  existing  digital  signature  systems 
and  to  acquire  additional  equipment  that  may  be  needed  to  interoperate  with  these  legacy  digital 
signature  systems.  Agencies  without  legacy  digital  signature  systems  should  plan  for  the  acquisition 
and  use  of  equipment  implementing  the  digital  signature  techniques  that  are  adopted  by  FIPS  186-2. 
After  the  transition  period,  only  equipment  that  implements  FIPS  1 86-2  endorsed  techniques  should 
be  acquired. 

Specifications:  Federal  Information  Processing  Standard  (FIPS)  186-2  Digital  Signature  Standard 
(affixed).  Also  see  an  important  change  notice  at  the  end  of  this  document. 

Cross  Index: 

a.  FIPS  PUB  46-3,  Data  Encryption  Standard. 

b.  FIPS  PUB  73,  Guidelines  for  Security  of  Computer  Applications. 
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c.  FIPS  PUB  140-1,  Security  Requirements  for  Cryptographic  Modules. 

d.  FIPS  PUB  171,  Key  Management  Using  ANSI  X9.17. 

e.  FIPS  PUB  180-1,  Secure  Hash  Standard. 

f.  ANSI  X9.3 1-1998,  Digital  Signatures  Using  Reversible  Public  Key  Cryptography  for  the 
Financial  Services  Industry  (rDSA). 

g.  ANSI  X9. 62-1998,  Public  Key  Cryptography  for  the  Financial  Services  Industry:  The  Elliptic 
Curve  Digital  Signature  Algorithm  (ECDSA). 

Qualifications:  The  security  of  a  digital  signature  system  is  dependent  on  maintaining  the  secrecy 
of  users'  private  keys.  Users  must  therefore  guard  against  the  unauthorized  acquisition  of  their 
private  keys.  While  it  is  the  intent  of  this  standard  to  specify  general  security  requirements  for 
generating  digital  signatures,  conformance  to  this  standard  does  not  assure  that  a  particular 
implementation  is  secure.  The  responsible  authority  in  each  agency  or  department  shall  assure  that 
an  overall  implementation  provides  an  acceptable  level  of  security.  This  standard  will  be  reviewed 
every  five  years  in  order  to  assess  its  adequacy. 

Waiver  Procedure:  Under  certain  exceptional  circumstances,  the  heads  of  Federal  agencies,  or  their 
delegates,  may  approve  waivers  to  Federal  Information  Processing  Standards  (FIPS).  The  head  of 
such  agency  may  redelegate  such  authority  only  to  a  senior  official  designated  pursuant  to  section 
3506(b)  of  Title  44,  United  States  Code.  Waiver  shall  be  granted  only  when: 

a.  Compliance  with  a  standard  would  adversely  affect  the  accomplishment  of  the  mission  of  an 
operator  of  a  Federal  computer  system;  or 

b.  Cause  a  major  adverse  financial  impact  on  the  operator  which  is  not  offset  by  Government  wide 
savings. 

Agency  heads  may  act  upon  a  written  waiver  request  containing  the  information  detailed  above. 
Agency  heads  may  also  act  without  a  written  waiver  request  when  they  determine  that  conditions  for 
meeting  the  standard  cannot  be  met.  Agency  heads  may  approve  waivers  only  by  a  written  decision 
which  explains  the  basis  on  which  the  agency  head  made  the  required  finding(s).  A  copy  of  each 
such  decision,  with  procurement  sensitive  or  classified  portions  clearly  identified,  shall  be  sent  to: 
National  Institute  of  Standards  and  Technology;  ATTN:  FIPS  Waiver  Decisions,  100  Bureau  Drive 
Stop  8970,  Gaithersburg,  MD  20899-8970. 

In  addition,  notice  of  each  waiver  granted  and  each  delegation  of  authority  to  approve  waivers  shall 
be  sent  promptly  to  the  Committee  on  Government  Operations  of  the  House  of  Representatives  and 
the  Committee  on  Governmental  Affairs  of  the  Senate  and  shall  be  published  promptly  in  the  Federal 
Register. 
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When  the  determination  on  a  waiver  applies  to  the  procurement  of  equipment  and/or  services,  a 
notice  of  the  waiver  determination  must  be  published  in  the  Commerce  Business  Daily  as  a  part  of 
the  notice  of  solicitation  for  offers  of  an  acquisition  or,  if  the  waiver  determination  is  made  after  that 
notice  is  published,  by  amendment  to  such  notice. 

A  copy  of  the  waiver,  any  supporting  documents,  the  document  approving  the  waiver  and  any 
supporting  and  accompanying  documents,  with  such  deletions  as  the  agency  is  authorized  and 
decides  to  make  under  5  U.S.C.  Sec.  552(b),  shall  be  part  of  the  procurement  documentation  and 
retained  by  the  agency. 

Where  to  Obtain  Copies  of  the  Standard:  Copies  of  this  publication  are  for  sale  by  the  National 
Technical  Information  Service,  U.S.  Department  of  Commerce,  Springfield,  VA  22161.  When 
ordering,  refer  to  Federal  Information  Processing  Standards  Publication  186-2  (FIPSPUB 186-2),  and 
identify  the  title.  When  microfiche  is  desired,  this  should  be  specified.  Prices  are  published  by  NTIS 
in  current  catalogs  and  other  issuances.  Payment  may  be  made  by  check,  money  order,  deposit 
account  or  charged  to  a  credit  card  accepted  by  NTIS. 
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Federal  Information 
Processing  Standards  Publication  186-2 

2000  January  27 


Specifications  for  the 


DIGITAL  SIGNATURE  STANDARD  (DSS) 


1.  INTRODUCTION 

This  publication  prescribes  three  algorithms  suitable  for  digital  signature  (ds)  generation  and 
verification.  The  first  algorithm,  the  Digital  Signature  Algorithm  (DSA),  is  deseribed  in  seetions 
4-6  and  appendices  1-5.  The  second  algorithm,  the  RSA  ds  algorithm,  is  diseussed  in  seetion  7 
and  the  third  algorithm,  the  ECDSA  algorithm,  is  discussed  in  seetion  8  and  reeommended  elliptie 
curves  in  appendix  6.  An  important  change  notice  has  been  appended  to  this  doeument. 


2.  GENERAL 

When  a  message  is  received,  the  recipient  may  desire  to  verify  that  the  message  has  not  been  altered 
in  transit.  Furthermore,  the  recipient  may  wish  to  be  certain  of  the  originator's  identity.  Both  of 
these  services  can  be  provided  by  a  ds  algorithm.  A  digital  signature  is  an  electronic  analogue  of  a 
written  signature  in  that  the  digital  signature  can  be  used  in  proving  to  the  recipient  or  a  third  party 
that  the  message  was,  in  fact,  signed  by  the  originator.  Digital  signatures  may  also  be  generated  for 
stored  data  and  programs  so  that  the  integrity  of  the  data  and  programs  may  be  verified  at  any  later 
time. 

This  publication  prescribes  two  algorithms  suitable  for  digital  signature  generation  and  verification. 


3.  USE  OF  A  DIGITAL  SIGNATURE  (ds)  ALGORITHM 

A  ds  algorithm  is  used  by  a  signatory  to  generate  a  digital  signature  on  data  and  by  a  verifier  to 
verify  the  authenticity  of  the  signature.  Each  signatory  has  a  public  and  private  key.  The  private  key 
is  used  in  the  signature  generation  process  and  the  public  key  is  used  in  the  signature  verification 
process.  For  both  signature  generation  and  verification,  the  data  which  is  referred  to  as  a  message. 
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M,  is  reduced  by  means  of  the  Secure  Hash  Algorithm  (SHA-1)  specified  in  FIPS  180-1.  An 
adversary,  who  does  not  know  the  private  key  of  the  signatory,  cannot  generate  the  correct  signature 
of  the  signatory.  In  other  words,  signatures  cannot  be  forged.  However,  by  using  the  signatory's 
public  key,  anyone  can  verify  a  correctly  signed  message.  A  means  of  associating  public  and  private 
key  pairs  to  the  corresponding  users  is  required.  That  is,  there  must  be  a  binding  of  a  user's  identity 
and  the  user's  public  key.  This  binding  may  be  certified  by  a  mutually  trusted  party.  For  example, 
a  certifying  authority  could  sign  credentials  containing  a  user's  public  key  and  identity  to  form  a 
certificate.  Systems  for  certifying  credentials  and  distributing  certificates  are  beyond  the  scope  of 
this  standard.  NIST  intends  to  publish  separate  document(s)  on  certifying  credentials  and  distributing 
certificates. 


4.  DSA  PARAMETERS 

The  DSA  makes  use  of  the  following  parameters: 

1.  p  =  a  prime  modulus,  where  2^  '  <  p  <  2^  for  512  <  L  <  1024  and  L  a  multiple  of  64 

2.  q  =  a  prime  divisor  of  p  -  1,  where  2'^^  <  q  <  2'^° 

3.  g  =  mod  p,  where  h  is  any  integer  with  1  <  h  <  p  -  1  such  that  mod  p  >  1 
(g  has  order  q  mod  p) 

4.  X  =  a  randomly  or  pseudorandomly  generated  integer  with  0  <  x  <  q 

5.  y  =  g’^  mod  p 

6.  k  =  a  randomly  or  pseudorandomly  generated  integer  with  0  <  k  <  q 

The  integers  p,  q,  and  g  can  be  public  and  can  be  common  to  a  group  of  users.  A  user's  private  and 
public  keys  are  x  and  y,  respectively.  They  are  normally  fixed  for  a  period  of  time.  Parameters  x 
and  k  are  used  for  signature  generation  only,  and  must  be  kept  secret.  Parameter  k  must  be 
regenerated  for  each  signature. 

Parameters  p  and  q  shall  be  generated  as  specified  in  Appendix  2,  or  using  other  FIPS  approved 
security  methods.  Parameters  x  and  k  shall  be  generated  as  specified  in  Appendix  3,  or  using  other 
FIPS  approved  security  methods. 


5.  DSA  SIGNATURE  GENERATION 

The  signature  of  a  message  M  is  the  pair  of  numbers  r  and  s  computed  according  to  the  equations 
below: 
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r  =  (g*^  mod  p)  mod  q  and 
s  =  (k'’(SHA-l(M)  +  xr))  mod  q. 

In  the  above,  k’’  is  the  multiplicative  inverse  of  k,  mod  q;  i.e.,  (k’’  k)  mod  q  =  1  and  0  <  k'’  <  q.  The 
value  of  SHA- 1  (M)  is  a  1 60-bit  string  output  by  the  Secure  Hash  Algorithm  specified  in  FIPS  180-1. 
For  use  in  computing  s,  this  string  must  be  converted  to  an  integer.  The  conversion  rule  is  given 
in  Appendix  2.2. 

As  an  option,  one  may  wish  to  check  if  r  =  0  or  s  =  0.  If  either  r  =  0  or  s  =  0,  a  new  value  of  k  should 
be  generated  and  the  signature  should  be  recalculated  (it  is  extremely  unlikely  that  r  =  0  or  s  =  0  if 
signatures  are  generated  properly). 

The  signature  is  transmitted  along  with  the  message  to  the  verifier. 


6.  DSA  SIGNATURE  VERIFICATION 

Prior  to  verifying  the  signature  in  a  signed  message,  p,  q  and  g  plus  the  sender's  public  key  and 
identity  are  made  available  to  the  verifier  in  an  authenticated  manner. 

Let  M',  r',  and  s'  be  the  received  versions  of  M,  r,  and  s,  respectively,  and  let  y  be  the  public  key  of 
the  signatory.  To  verify  the  signature,  the  verifier  first  checks  to  see  that  0  <  r'  <  q  and  0  <  s'  <  q; 
if  either  condition  is  violated  the  signature  shall  be  rejected.  If  these  two  conditions  are  satisfied, 
the  verifier  computes 

w  =  (s'X’  mod  q 

ul  =  ((SHA-l(M'))w)  mod  q 

u2  =  ((r')w)  mod  q 

V  =  (((g)"*’  (y)"*^)  mod  p)  mod  q. 

If  V  =  r',  then  the  signature  is  verified  and  the  verifier  can  have  high  confidence  that  the  received 
message  was  sent  by  the  party  holding  the  secret  key  x  corresponding  to  y.  For  a  proof  that  v  =  r' 
when  M'  =  M,  r'  =  r,  and  s'  =  s,  see  Appendix  1 . 

If  V  does  not  equal  r',  then  the  message  may  have  been  modified,  the  message  may  have  been 
incorrectly  signed  by  the  signatory,  or  the  message  may  have  been  signed  by  an  impostor.  The 
message  should  be  considered  invalid. 

7.  RSA  DIGITAL  SIGNATURE  ALGORITHM 
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The  RSA  ds  algorithm  is  a  FIPS  approved  cryptographic  algorithm  for  digital  signature  generation 
and  verification.  This  is  described  in  ANSI  X9.3I. 

8.  ELLIPTIC  CURVE  DIGITAL  SIGNATURE  ALGORITHM  (ECDSA) 

The  ECDSA  ds  algorithm  is  a  FIPS  approved  cryptographic  algorithm  for  digital  signature 
generation  and  verification.  ECDSA  is  the  elliptic  curve  analogue  of  the  DSA.  ECDSA  is 
described  in  ANSI  X9.62.  The  recommended  elliptic  curves  for  Federal  Government  use  are 
included  in  Appendix  6. 
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APPENDIX  1.  A  PROOF  THAT  v  =  r'  IN  THE  DSA 


This  appendix  is  for  informational  purposes  only  and  is  not  required  to  meet  the  standard. 

The  purpose  of  this  appendix  is  to  show  that  in  the  DSA,  if  M'  =  M,  r'  =  r  and  s'  =  s  in  the  signature 
verification  then  v  =  r'.  We  need  the  following  easy  result. 

LEMMA.  Let  p  and  q  be  primes  so  that  q  divides  p  -  1,  h  a  positive  integer  less  than  p,  and  g  = 
mod  p.  Then  g'’  mod  p  =  1 ,  and  if  m  mod  q  =  n  mod  q,  then  g"”  mod  p  =  g"  mod  p. 

Proof:  We  have 

g’’  mod  p  =  (h^P'h/q  p^q  p 
=  mod  p 
=  1 

by  Fermat's  Little  Theorem.  Now  let  m  mod  q  =  n  mod  q,  i.e.,  m  =  n  +  kq  for  some  integer  k.  Then 
g"’  mod  p  =  mod  p 
=  (g"  g*"^)  mod  p 

=  ((g"  mod  p)  (g^  mod  p)*^)  mod  p 
=  g"  mod  p 
since  g*’  mod  p  =  1 .  ■ 

We  are  now  ready  to  prove  the  main  result. 

THEOREM.  If  M'  =  M,  r'  =  r,  and  s'  =  s  in  the  signature  verification,  then  v  =  r'. 

Proof:  We  have 
w  =  (s')'’  mod  q  =  s'’  mod  q 

ul  =  ((SHA-l(M'))w)  mod  q  =  ((SHA-l(M))w)  mod  q 
u2  =  ((r')w)  mod  q  =  (rw)  mod  q. 
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Now  y  =  g^  mod  p,  so  that  by  the  lemma, 

V  =  ((g“’  mod  p)  mod  q 

=  ((gSHA-l*^^^"  y™)  mod  p)  mod  q 
=  ((gSHA-l'^^^'*'  g’'™)  mod  p)  mod  q 
=  ((g‘^SHA-l‘^“^^’‘’^^")  mod  p)  mod  q. 
Also 

s  =  (k'’(SHA-l(M)  +  xr))  mod  q. 

Hence 

w  =  (k(SHA-l(M)  +  xr)‘')  mod  q 
(SHA-l(M)  +  xr)w  mod  q  =  k  mod  q. 
Thus  by  the  lemma, 

V  =  (g*^  mod  p)  mod  q 
=  r 

=  r'.  ■ 
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APPENDIX  2.  GENERATION  OF  PRIMES  FOR  THE  DSA 


This  appendix  includes  algorithms  for  generating  the  primes  p  and  q  used  in  the  DSA.  These 
algorithms  require  a  random  number  generator  (see  Appendix  3),  and  an  efficient  modular 
exponentiation  algorithm.  Generation  of  p  and  q  shall  be  performed  as  specified  in  this  appendix, 
or  using  other  FIPS  approved  security  methods. 

2.1.  A  PROBABILISTIC  PRIMALITY  TEST 

In  order  to  generate  the  primes  p  and  q,  a  primality  test  is  required. 

There  are  several  fast  probabilistic  algorithms  available.  The  following  algorithm  is  a  simplified 
version  of  a  procedure  due  to  M.O.  Rabin,  based  in  part  on  ideas  of  Gary  L.  Miller.  [See  Knuth,  The 
Art  of  Computer  Programming,  Vol.  2,  Addison-Wesley,  1981,  Algorithm  P,  page  379.]  If  this 
algorithm  is  iterated  n  times,  it  will  produce  a  false  prime  with  probability  no  greater  than  1/4". 
Therefore,  n  >  50  will  give  an  acceptable  probability  of  error.  To  test  whether  an  integer  is  prime: 

Step  1.  Set  i  =  1  and  n  >  50. 

Step  2.  Set  w  =  the  integer  to  be  tested,  w  =  1  +  2"m,  where  m  is  odd  and  T  is  the  largest 
power  of  2  dividing  w  -  1 . 

Step  3.  Generate  a  random  integer  b  in  the  range  1  <  b  <  w. 

Step  4.  Set  j  =  0  and  z  =  O'"  mod  w. 

Step  5.  If  j  =  0  and  z  =  1 ,  or  if  z  =  w  -  1 ,  go  to  step  9. 

Step  6.  If  j  >0  and  z  =  1,  go  to  step  8. 

Step  7.  j  =  j  +  1 .  If  j  <  a,  set  z  =  z  mod  w  and  go  to  step  5. 

Step  8.  w  is  not  prime.  Stop. 

Step  9.  If  i  <  n,  set  i  =  i  +  1  and  go  to  step  3.  Otherwise,  w  is  probably  prime. 

2.2.  GENERATION  OF  PRIMES 

The  DSA  requires  two  primes,  p  and  q,  satisfying  the  following  three  conditions: 

a_2>59<q<2i60 

b.  2^"’  <  p  <  2^  for  a  specified  L,  where  L  =  5 12  +  64j  for  some  0  <  j  <  8 
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c.  q  divides  p  -  1 . 

This  prime  generation  scheme  starts  by  using  the  SHA-1  and  a  user  supplied  SEED  to  construct  a 
prime,  q,  in  the  range  2i59<q<2i60_ 

Once  this  is  accomplished,  the  same  SEED  value  is  used  to 
construct  an  X  in  the  range  2^"’  <  X  <  2^.  The  prime,  p,  is  then  formed  by  rounding  X  to  a  number 
congruent  to  1  mod  2q  as  described  below. 

An  integer  x  in  the  range  0  <  x  <  2®  may  be  converted  to  a  g-long  sequence  of  bits  by  using  its  binary 
expansion  as  shown  below: 

X  =  xi*2®"’  +  X2*2®'^  +  ...  +  Xg.i*2  +  Xg  ->  {  xi,...,xg  }. 

Conversely,  a  g-long  sequence  of  bits  {  X|,...,Xg  }  is  converted  to  an  integer  by  the  rule 

{  X],...,Xg  }  ->  xi*2®'’  +  X2*2®“^  +  ...  +  Xg-i*2  +  Xg. 

Note  that  the  first  bit  of  a  sequence  corresponds  to  the  most  significant  bit  of  the  corresponding 
integer  and  the  last  bit  to  the  least  significant  bit. 

Let  L  -  1  =  n*  160  +  b,  where  both  b  and  n  are  integers  and  0  <  b  <  160. 

Step  1.  Choose  an  arbitrary  sequence  of  at  least  160  bits  and  call  it  SEED.  Let  g  be  the  length 
of  SEED  in  bits. 

Step  2.  Compute 

U  =  SHA-1  [SEED]  XOR  SHA-1  [(SEED+1)  mod  2®  ]. 

Step  3.  Form  q  from  U  by  setting  the  most  significant  bit  (the  2’^^  bit)  and  the  least  significant 
bit  to  1.  In  terms  of  boolean  operations,  q  =  U  OR  2’^^  OR  1.  Note  that  2’^^  <  q  <  2’^°. 

Step  4.  Use  a  robust  primality  testing  algorithm  to  test  whether  q  is  prime’. 

Step  5.  If  q  is  not  prime,  go  to  step  1 . 

Step  6.  Let  counter  =  0  and  offset  =  2. 

Step  7.  Fork  =  0,...,nlet 

Vk  =  SHA-1  [(SEED  +  offset  +  k)  mod  2®  ]. 

’a  robust  primality  test  is  one  where  the  probability  of  a  non-prime  number  passing  the  test  is  at 
most  2"’’”. 
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Step  8.  Let  W  be  the  integer 

W  =  Vo  +  +  ...  +  +  (Vn  mod  2*’)  *  2"*’^° 

and  let  X  =  W  +  2^"’.  Note  that  0  <  W  <  2^''  and  hence  2^"’  <  X  <  2^. 

Step  9.  Let  c  =  X  mod  2q  and  set  p  =  X  -  (c  -  1).  Note  that  p  is  congruent  to  1  mod  2q. 

Step  10.  If  p  <  2^"’,  then  go  to  step  13. 

Step  11.  Perform  a  robust  primality  test  on  p. 

Step  12.  If  p  passes  the  test  performed  in  step  1 1,  go  to  step  15. 

Step  13.  Let  counter  =  counter  +  1  and  offset  =  offset  +  n  +  1 . 

Step  14.  If  counter  >  2’^  =  4096  go  to  step  1,  otherwise  (i.e.  if  counter  <  4096)  go  to  step  7. 

Step  15.  Save  the  value  of  SEED  and  the  value  of  counter  for  use  in  certifying  the  proper 
generation  of  p  and  q. 
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APPENDIX  3.  RANDOM  NUMBER  GENERATION  FOR  THE  DSA 


Any  implementation  of  the  DSA  requires  the  ability  to  generate  random  or  pseudorandom  integers. 
Such  numbers  are  used  to  derive  a  user's  private  key,  x,  and  a  user's  per  message  secret  number,  k. 
These  randomly  or  pseudorandomly  generated  integers  are  selected  to  be  between  0  and  the  160-bit 
prime  q  (as  specified  in  the  standard).  They  shall  be  generated  by  the  techniques  given  in  this 
appendix,  or  using  other  FIPS  approved  security  methods. 

One  FIPS  approved  pseudorandom  integer  generator  is  supplied  in  Appendix  C  of  ANSI  X9.17, 
"Financial  Institution  Key  Management  (Wholesale)." 

Other  pseudorandom  integer  generators  are  given  in  this  appendix.  These  permit  generation  of 
pseudorandom  values  of  x  and  k  for  use  in  the  DSA.  The  algorithm  in  section  3.1  may  be  used  to 
generate  values  for  x.  An  algorithm  for  k  and  r  is  given  in  section  3.2.  The  latter  algorithm  allows 
most  of  the  signature  computation  to  be  precomputed  without  knowledge  of  the  message  to  be 
signed. 

The  algorithms  employ  a  one-way  function  G(t,c),  where  t  is  160  bits,  c  is  b  bits  (160  <  b  <  512)  and 
G(t,c)  is  160  bits.  One  way  to  construct  G  is  via  the  Secure  Hash  Algorithm  (SHA-1),  as  defined 
in  the  Secure  Hash  Standard  (SHS).  The  160-bit  message  digest  output  of  the  SHA-1  algorithm 
when  message  M  is  input  is  denoted  by  SHA-1  (M).  A  second  method  for  constructing  G  is  to  use 
the  Data  Encryption  Standard  (DES).  The  construction  of  G  by  these  techniques  is  discussed  in 
sections  3.3  and  3.4  of  this  appendix. 

In  the  algorithms  in  sections  3.1  and  3.2,  a  secret  b-bit  seed-key  is  used.  The  algorithm  in  section 
3.1  optionally  allows  the  use  of  a  user  provided  input.  If  G  is  constructed  via  the  SHA-1  as  defined 
in  section  3.3,  then  b  is  between  160  and  512.  If  DES  is  used  to  construct  G  as  defined  in  section 
3.4,  then  b  is  equal  to  160. 

3.1.  ALGORITHM  FOR  COMPUTING  m  VALUES  OF  x 

Let  X  be  the  signer's  private  key.  The  following  may  be  used  to  generate  m  values  of  x: 

Step  1.  Choose  a  new,  secret  value  for  the  seed-key,  XKEY. 

Step  2.  In  hexadecimal  notation  let 

t  =  67452301  EFCDAB89  98BADCFE  10325476  C3D2E1F0. 

This  is  the  initial  value  for  Hq  ||  Hj  ||  H2  ||  H3 1|  H4  in  the  SHS. 

Step  3.  For)  =  0  to  m  -  1  do 
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a.  XSEEDj  =  optional  user  input. 

b.  XVAL  =  (XKEY  +  XSEEDj)  mod  2^ 

c.  xj  =  G(t,XVAL)  mod  q. 

d.  XKEY  =  (1  +  XKEY  +  Xj)  mod  2^ 

3.2.  ALGORITHM  FOR  PRECOMPUTING  ONE  OR  MORE  k  AND  r  VALUES 

This  algorithm  can  be  used  to  precompute  k,  k"',  and  r  for  m  messages  at  a  time.  Note  that 
implementation  of  the  DSA  with  precomputation  may  be  covered  by  U.S.  and  foreign  patents. 

Algorithm: 

Step  1 .  Choose  a  secret  initial  value  for  the  seed-key,  KKE Y. 

Step  2.  In  hexadecimal  notation  let 

t  =  EFCDAB89  98BADCFE  10325476  C3D2E1F0  67452301. 

This  is  a  cyclic  shift  of  the  initial  value  for  Ho  ||  H]  ||  H2 1|  H3 1|  H4  in  the  SHS. 

Step  3.  For  j  =  0  to  m  -  1  do 

a.  k  =  G(t,KKEY)  mod  q. 

b.  Compute  kj’’  =  k''  mod  q. 

c.  Compute  q  =  (g*^  mod  p)  mod  q. 

d.  KKEY  =  (1  +  KKEY  +  k)  mod  2^ 

Step  4.  Suppose  Mq  , ... ,  Mm-i  are  the  next  m  messages.  For  j  =  0  to  m  -  1  do 

a.  Leth=SHA-l(Mj). 

b.  Let  sj  =  (kj''(h  +  xq))  mod  q. 

c.  The  signature  for  Mj  is  (q,Sj). 

Step  5.  Let  t  =  h. 

Step  6.  Go  to  step  3. 
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Step  3  permits  precomputation  of  the  quantities  needed  to  sign  the  next  m  messages.  Step  4  can 
begin  whenever  the  first  of  these  m  messages  is  ready.  The  execution  of  step  4  can  be  suspended 
whenever  the  next  of  the  m  messages  is  not  ready.  As  soon  as  steps  4  and  5  have  completed,  step 
3  can  be  executed,  and  the  results  saved  until  the  first  member  of  the  next  group  of  m  messages  is 
ready. 

In  addition  to  space  for  KKEY,  two  arrays  of  length  m  are  needed  to  store  ro  , ...  rm-i  and  ko" km. 
r’  when  they  are  computed  in  step  3.  Storage  for  so  , ... ,  Sm-i  is  only  needed  if  the  signatures  for  a 
group  of  messages  are  stored;  otherwise  sj  in  step  4  can  be  replaced  by  s  and  a  single  space  allocated. 

3.3.  CONSTRUCTING  THE  FUNCTION  G  FROM  THE  SHA-1 

G(t,c)  may  be  constructed  using  steps  (a)  -  (e)  in  section  7  of  the  Specifications  for  the  Secure  Hash 
Standard.  Before  executing  these  steps,  {Hj}  and  M|  must  be  initialized  as  follows: 

i.  Initialize  the  {Hj}  by  dividing  the  160  bit  value  t  into  five  32-bit  segments  as  follows: 

t  =  to  II  t]  II  t2  II  ts  II  t4 
Then  Hj  =  tj  for  j  =  0  through  4. 

ii.  There  will  be  only  one  message  block,  M|,  which  is  initialized  as  follows: 

Mi=c||0^'^-'’ 

(The  first  b  bits  of  Mi  contain  c,  and  the  remaining  (512-b)  bits  are  set  to  zero). 

Then  steps  (a)  through  (e)  of  section  7  are  executed,  and  G(t,c)  is  the  160  bit  string  represented  by 
the  five  words: 

Ho  II  Hi  II  H2  II  H3  II  H4 

at  the  end  of  step  (e). 

3.4.  CONSTRUCTING  THE  FUNCTION  G  FROM  THE  DES 

Let  a  XOR  b  denote  the  bitwise  exclusive-or  of  bit  strings  a  and  b.  Suppose  al,  a2,  bl,  b2  are  32-bit 
strings.  Let  bl'  be  the  24  least  significant  bits  of  bl.  Let  K  =  bl'  ||  b2  and  A  =  al  ||  a2.  Define 


DESbi,b2(al,a2)  =  DESK(A) 


In  the  above,  DESk(A)  represents  ordinary  DES  encr3q)tion  of  the  64-bit  block  A  using  the  56-bit 
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key  K.  Now  suppose  t  and  c  are  each  160  bits.  To  compute  G(t,c): 
Step  1.  Write 

t  =  ti  II  t2  II  ta  II  t4  II  ts 
C  =  Cl  II  C2  II  C3  II  C4  II  Cs 
In  the  above,  each  b  and  ci  is  32  bits. 

Step  2.  For  i  =  1  to  5  do 
Xi  =  ti  XOR  Ci 
Step  3.  For  i  =  1  to  5  do 

bl  ~  C((i+3)  mod  5)  +  1 
b2  —  C((i+2)  mod  5)  +  1 

al  =  Xi 

^2  —  X(i  mod  5)  +  1  XOR  X((i+3)  mod  5)  +  I 

yi,i  II  yi,2  =  DESbi,b2(al,a2)  (yj,  yi,2  =  32  bits) 

Step  4.  For  i  =  1  to  5  do 

Zi  ~  yi,l  XOR  y((i+i)  mod  5)+l,2  XOR  y((i+2)  mod  5)+l,l 

Step  5.  Let 

G(t,c)  =  Z]  II  Z2  II  Z3  II  Z4  II  Z5 
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APPENDIX  4.  GENERATION  OF  OTHER  QUANTITIES  FOR  THE  DSA 

This  appendix  is  for  informational  purposes  only  and  is  not  required  to  meet  the  standard. 

The  algorithms  given  in  this  appendix  may  be  used  to  generate  the  quantities  g,  k'’,  and  s'’  used  in 
the  DSA. 

To  generate  g: 

Step  1.  Generate  p  and  q  as  specified  in  Appendix  2. 

Step  2.  Let  e  =  (p  -  l)/q. 

Step  3.  Set  h  =  any  integer,  where  1  <  h  <  p  -  1  and  h  differs  from  any  value  previously  tried. 
Step  4.  Set  g  =  h®  mod  p. 

Step  5.  If  g  =  1,  go  to  step  3. 

To  compute  the  multiplicative  inverse  n'’  mod  q  for  n  with  0  <  n  <  q,  where  0  <  n’’  <  q: 

Step  1 .  Set  i  =  q,  h  =  n,  V  =  0,  and  d  =  1 . 

Step  2.  Let  t  =  i  DIV  h,  where  DIV  is  defined  as  integer  division. 

Step  3.  Set  X  =  h. 

Step  4.  Set  h  =  i  -  tx. 

Step  5.  Set  i  =  x. 

Step  6.  Set  x  =  d. 

Step  7.  Set  d  =  v  -  tx. 

Step  8.  Set  v  =  x. 

Step  9.  If  h  >  0,  go  to  step  2. 

Step  10.  Let  n'’  =  v  mod  q. 

Note  that  in  step  10,  v  may  be  negative.  The  v  mod  q  operation  should  yield  a  value  between  1  and 
q  -  1  inclusive. 
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APPENDIX  5.  EXAMPLE  OF  THE  DSA 


This  appendix  is  for  informational  purposes  only  and  is  not  required  to  meet  the  standard. 

Let  L  =  512  (size  of  p).  The  values  in  this  example  are  expressed  in  hexadecimal  notation.  The  p 
and  q  given  here  were  generated  by  the  prime  generation  standard  described  in  appendix  2  using  the 
160-bit  SEED: 

d5014e4b  60ef2ba8  b6211b40  62ba3224  e0427dd3 

With  this  SEED,  the  algorithm  found  p  and  q  when  the  counter  was  at  105.  x  was  generated  by  the 
algorithm  described  in  appendix  3,  section  3.1,  using  the  SHA-1  to  construct  G  (as  in  appendix  3, 
section  3.3)  and  a  160-bit  XKEY: 

XKEY  = 

bd029bbe  7f51960b  cf9edb2b  61f06f0f  eb5a38b6 
t  = 

67452301  EFCDAB89  98BADCFE  10325476  C3D2E1F0 
X  =  G(t,XKEY)  mod  q 

k  was  generated  by  the  algorithm  described  in  appendix  3,  section  3.2,  using  the  SHA-1  to  construct 
G  (as  in  appendix  3,  section  3.3)  and  a  160-bit  KKEY: 

KKEY  = 


687a66d9  0648f993  867el21f  4ddf9ddb  01205584 


t  = 


EFCDAB89  98BADCFE  10325476  C3D2E1F0  67452301 
k  =  G(t,KKEY)  mod  q 


Finally: 
h  =  2 
P  = 


8df2a494 

cbb8324f 


492276aa  3d25759b  b06869cb  eac0d83a  fb8d0cf7 
0d7882e5  d0762fc5  b7210eaf  c2e9adac  32ab7aac 
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49693dfb  f83724c2  ec0736ee  31c80291 

q  = 

C773218C  737ec8ee  993b4f2d  ed30f48e  dace915f 
g  = 

626d0278  39ea0al3  413163a5  5b4cb500  299d5522  956cefcb 

3bffl0f3  99ce2c2e  71cb9de5  fa24babf  58e5b795  21925c9c 

c42e9f6f  464b088c  c572af53  e6d78802 

X  = 

2070b322  3dba372f  delcOffc  7b2e3b49  8b260614 

k  = 

358dad57  1462710f  50e254cf  Ia376b2b  deaadfbf 

k-’  = 

0d516729  8202e49b  4116acl0  4fc3f415  ae52f917 

M  =  ASCII  form  of  "abc"  (See  FIPS  PUB  180-1,  Appendix  A) 

(SHA-1)(M)  = 

a9993e36  4706816a  ba3e2571  7850c26c  9cd0d89d 

y  = 

19131871  d75bl612  a819f29d  78dlb0d7  346f7aa7  7bb62a85 

9bfd6c56  75da9d21  2d3a36ef  1672ef66  0b8c7c25  5cc0ec74 

858fba33  f44c0669  9630a76b  030ee333 

r  = 

8baclab6  6410435c  b7181f95  bl6ab97c  92b341c0 

s  = 

41e2345f  If56df24  58f426dl  55b4ba2d  b6dcd8c8 


w  = 


9df4ece5  826be95f  ed406d41  b43edc0b  lcl8841b 
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ul  = 


bf 655bd0 

46f 0b35e 

c791b004 

804af ebb 

8ef7d69d 

u2  = 

821a9263 

12e97ade 

abcc8d08 

2b527897 

8a2df 4b0 

g“’  mod  p 

= 

Blblbf 86 
9063bd3d 
6f96662a 

7888e5f3 

2bl38b4c 

1987a21b 

af 6fb476 
e02cc0c0 

e4ecl071 

9dd016bc 

2ec62bb6 

010b6069 

fe667a65 

7306c63e 

aaf c2753 
4db95bbf 

mod  p 

= 

8b510071 

5c611a72 

Cl9441f4 

29570950 

e2b28483 

22bf3c34 

50d6b8fd 

be52c74d 

OSaebalf 

376a668e 

4b30de61 

0a4dbec7 

4b0d633c 
a6  6  8  96  60 

10460665 

dc307a67 

V  “ 

8baclab6 

6410435c 

b7181f 95 

bl6ab97c 

92b341c0 
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APPENDIX  6.  RECOMMENDED  ELLIPTIC  CURVES  FOR  FEDERAL 

GOVERNMENT  USE 
July  1999 

This  collection  of  elliptic  curves  is  recommended  for  Federal  government  use  and 
contains  choices  of  private  key  length  and  underlying  fields. 

I.  Parameter  Choices 

1.1  Choice  of  Key  Lengths 

The  principal  parameters  for  elliptic  curve  cryptography  are  the  elliptic  curve 
E  and  a  designated  point  G  onE  called  the  base  point.  The  base  point  has  order  r,  a 
large  prime.  The  number  of  points  on  the  curve  is  n  =fr  for  some  integer / (the 
cofactor)  not  divisible  by  r.  For  efficiency  reasons,  it  is  desirable  to  take  the 
cofactor  to  be  as  small  as  possible. 

All  of  the  curves  given  below  have  cofactors  1,  2,  or  4.  As  a  result,  the 
private  and  public  keys  are  approximately  the  same  length.  Each  length  is  chosen  to 
correspond  to  the  cryptovariable  length  of  a  common  symmetric  cryptologic.  In 
each  case,  the  private  key  length  is,  at  least,  approximately  twice  the  symmetric 
cryptovariable  length. 

1.2  Choice  of  Underlying  Fields 

For  each  cryptovariable  length,  there  are  given  two  kinds  of  fields. 

•  A  prime  field  is  the  field  GF{p)  which  contains  a  prime  number  p  of 
elements.  The  elements  of  this  field  are  the  integers  modulo  p,  and  the 
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field  arithmetic  is  implemented  in  terms  of  the  arithmetic  of  integers 
modulo  p. 

•  A  binary  field  is  the  field  GF{2"')  which  contains  2"*  elements  for  some  m 
(called  the  degree  of  the  field).  The  elements  of  this  field  are  the  bit 
strings  of  length  m,  and  the  field  arithmetic  is  implemented  in  terms  of 
operations  on  the  bits. 

The  following  table  gives  the  sizes  of  the  various  underlying  fields.  By  //j9//is 
meant  the  length  of  the  binary  expansion  of  the  integer  p. 


Symmetric 

CV  Length 

80 

Example 

Algorithm 

SKIPJACK 

Prime  Field 

/M=  192 

Binarv  Field 

w  =  163 

112 

Triple-DES 

/M=  224 

m  =  233 

128 

AES  Small 

/M=  256 

m  =  283 

192 

AES  Medium 

/M=  384 

m  =  409 

256 

AES  Large 

I/pI  1=521 

m  =  571 

13  Choice  of  Basis 

To  describe  the  arithmetic  of  a  binary  field,  it  is  first  necessary  to  specify 
how  a  bit  string  is  to  be  interpreted.  This  is  referred  to  as  choosing  a  basis  for  the 
field.  There  are  two  common  types  of  bases:  a  polynomial  basis  and  a  normal  basis. 
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•  A  polynomial  basis  is  specified  by  an  irreducible  polynomial  modulo  2, 
called  the  field  polynomial.  The  bit  string  {Om-i  ...  <22  «i  ^o)  is  taken  to 
represent  the  polynomial 

Ofn-I  /  *  +...+  02  ^  a\t  +  Oo 

over  GF(2).  The  field  arithmetic  is  implemented  as  polynomial  arithmetic 
modulo  p(t),  where  p(t)  is  the  field  polynomial. 

•  A  normal  basis  is  specified  by  an  element  0  of  a  particular  kind.  The  bit 
string  (ao  ai  02  ...  a ^-i)  is  taken  to  represent  the  element 

OqO  +  Oi  6  +020  +  a„_  1 6 

Normal  basis  field  arithmetic  is  not  easy  to  describe  or  efficient  to 
implement  in  general,  but  is  for  a  special  class  called  Type  T  low- 
complexity  normal  bases.  For  a  given  field  degree  m,  the  choice  of  T 
specifies  the  basis  and  the  field  arithmetic  (see  Appendix  6.2). 

There  are  many  polynomial  bases  and  normal  bases  from  which  to  choose.  The 
following  procedures  are  commonly  used  to  select  a  basis  representation. 

•  Polynomial  Basis:  If  an  irreducible  trinomial  f”  +  +  1  exists  over  GF 

(2),  then  the  field  polynomial  p{t)  is  chosen  to  be  the  irreducible  trinomial 
with  the  lowest-degree  middle  term  /  .  If  no  irreducible  trinomial  exists, 
then  one  selects  instead  a pentanomial  t  +  f  +  t^  +  F  +  \.  The 
particular  pentanomial  chosen  has  the  following  properties:  the  second 
term  f  has  the  lowest  degree  w;  the  third  term  t^  has  the  lowest  degree 
among  all  irreducible  pentanomials  of  degree  m  and  second  term  f ;  and 
the  fourth  term  f  has  the  lowest  degree  among  all  irreducible 
pentanomials  of  degree  m,  second  term  f,  and  third  term  F 
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Normal  Basis:  Choose  the  Type  T  low-complexity  normal  basis  with  the 
smallest  T. 


For  each  binary  field,  the  parameters  are  given  for  the  above  basis  representations. 


L4  Choice  of  Curves 

Two  kinds  of  curves  are  given: 

•  Pseudo-randomcmwQS  are  those  whose  coefficients  are  generated  from 
the  output  of  a  seeded  cryptographic  hash.  If  the  seed  value  is  given 
along  with  the  coefficients,  it  can  be  verified  easily  that  the  coefficients 
were  indeed  generated  by  that  method. 

•  Special  curves  whose  coefficients  and  underlying  field  have  been  selected 
to  optimize  the  efficiency  of  the  elliptic  curve  operations. 

For  each  size,  the  following  curves  are  given: 

^  A  pseudo-random  curve  over  GF(p). 

— >  A  pseudo-random  curve  over  GF{2"'). 

A  special  curve  over  GF(2'”)  called  a  Koblitz  curve  or  anomalous  binary 
curve. 

The  pseudo-random  curves  are  generated  via  the  SHA-1  based  method  given  in  the 
ANSI  X9.62  and  IEEE  P1363  standards.  (The  generation  and  verification 
processes  are  given  in  Appendices  6-4  through  6-7.) 

1.5  Choice  of  Base  Points 
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Any  point  of  order  r  can  serve  as  the  base  point.  Each  curve  is  supplied  with 
a  sample  base  point  G  =  {Gx ,  Gy  ).  Users  may  want  to  generate  their  own  base 
points  to  ensure  cryptographic  separation  of  networks. 

2.  Curves  over  Prime  Fields 

For  each  prime  p,  a  pseudo-random  curve 

2  3 

E  :  y  =  X  -  3x  +b(mod p) 

of  prime  order  r  is  listedl.  (Thus,  for  these  curves,  the  cofactor  is  always /  =  1.) 
The  following  parameters  are  given: 

•  The  prime  modulus  p 

•  The  order  r 

•  the  160-bit  input  seed  5  to  SHA-1  based  algorithm 

•  The  output  c  of  the  SHA-1  based  algorithm 

•  The  coefficient  b  (satisfying  b^  c  =  -27  {mod p)) 

•  The  base  point  x  coordinate  Gx 

•  The  base  point  y  coordinate  Gy 

The  integers  p  and  r  are  given  in  decimal  form;  bit  strings  and  field  elements  are 
given  in  hex. 


1  The  selection  a  = -3  for  the  coefficient  of  x  was  made  for  reasons  of  efficiency;  see  IEEE  P 1 3  63 . 


28 


Curve  P-192 


(Oni  1 0 1 735386680763  8357894232076664 1 60839087\ 
00390324961279 

62771017353866807638357894231760590137671947\ 

73182842284081 

3045ae6f  c8422f64  ed579528  d38120ea  el2196d5 

3099d2bb 

bfcb2538  542dcd5f  b078b6ef  5f3d6fe2  c745de65 

64210519 

e59c80e7  0fa7e9ab  72243049  feb8deec  cl46b9bl 

188da80e 

b03090f6  7cbf20eb  43al8800  f4ff0afd  82ffl012 

07192b95 

ffc8da78  631011ed  6b24cdd5  73f977al  le794811 


Curve  P-224 


p  =  26959946667150639794667015087019630673557916\ 

260026308143510066298881 

r =  26959946667 15063979466701 50870 19625940457807\ 

7 1 4424391 72 1 68272236806 1 

5  =  bd7 13447  99d5c7fc  dc45b59f  a3b9ab8f  6a948bc5 

5b056c7e  1  Idd68f4 

0469ee7f3c7a7d74  f7dl2111  6506d031  218291fb 
b  =  b4050a85  0c04b3ab 

f54 13256  5044b0b7  d7bfd8ba  270b3943  2355flb4 
G  ^  =  b70e0cbd  6bb4bf7f 

321390b9  4a03cld3  56c21122  343280d6  115cld21 
Gy^  bd376388  b5f723fb 

4c22dfe6  cd4375a0  5a074764  44d58199  85007e34 
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Curve  P-256 


p  =  1 1579208921035624876269744694940757353008614\ 

341529031419553363130886709785395 1 
r =  1 1579208921035624876269744694940757352999695\ 

5224 1 3576034242225906 106851 2044369 
5  =  c49d3608  86e70493  6a6678el  139d26b7  819f7e90 

c  =  7efbal66  2985be94  03cb055c 

75d4f7e0  ce8d84a9  c51 14abc  afi  17768  0104fa0d 
b  =  5ac635d8  aa3a93e7  b3ebbd55 

769886bc  651d06b0  cc53b0f6  3bce3c3e  27d2604b 
G^=  6b  1 7d  1  f2  e  1 2c4247  f8bce6e5 

63a440f2  77037d81  2deb33a0  f4al3945  d898c296 
G 4fe342e2  fela7f9b  8ee7eb4a 
7c0f9el6  2bce3357  6b315ece  cbb64068  37bf51f5 
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Curve  P-384 


p  =  39402006196394479212279040100143613805079739\ 

27046544666794829340424572177149687032904726\ 
6088258938001861606973 112319 
r =  39402006196394479212279040100143613805079739\ 

2704654466679469052796276593991 1326356939895\ 
6308152294913554433653942643 
s  =  a335926a  a3 19a27a  ld00896a  6773a482  7acdac73 

79dle655  f868102f 

ff48dcdeel4151ddb80643cl  406d0cal  0dfe6fc5 
2009540a  495e8042  ea5f744f6e  184667  cc722483 
b  =  b3312fa7  e23ee7e4 

988e056b  e3f82dl9  181d9c6e  fe8141 12  0314088f 
5013875a  c656398d  8a2edl9d  2a85c8ed  d3ec2aef 
G aa87ca22  be8b0537 
8eblc71e  fi20ad74  6eld3b62  8ba79b98  59f741e0 
82542a38  5502f25d  bf55296c  3a545e38  72760ab7 
Gy^  3617de4a96262c6f 

5d9e98bf  9292dc29  f8f41dbd  289a  147c  e9da31 13 
b5f0b8c0  OabOblce  Id7e819d  7a431d7c  90ea0e5f 
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Curve  P-521 


p  =  68647976601306097149819007990813932172694353\ 

00143305409394463459185543183397656052122559\ 
64066145455497729631 139148085803712198799971\ 
664381257402829 1 1 1 5057 1 5 1 

r =  68647976601306097149819007990813932172694353\ 

00143305409394463459185543183397655394245057\ 
746333217197532963996371363321 1 1386476861244\ 
0380340372808892707005449 

5  =  d09e8800  291cb853  96cc6717  393284aa  a0da64ba 

c  =  0b4  8bfa5f42 

0a349495  39d2bdfc  264eeeeb  077688e4  4fblOad8 
f6d0edb3  7bd6b533  28100051  8el9flb9  ffbe0fe9 
ed8a3c22  00b8f875  e523868c  70cle5bf  55bad637 

051  953eb961 

8elc9alf  929a21a0  b68540ee  a2da725b  99b315f3 
b8b48991  8efl09el  56193951  ec7e937b  1652c0bd 
3bblbf07  3573df88  3d2c34fl  ef451fd4  6b503f00 

c6  858e06b7 

0404e9cd  9e3ecb66  2395b442  9c648139  053fb521 
f828af60  6b4d3dba  al4b5e77  efe75928  feldcl27 
a2ffa8de  3348b3cl  856a429b  f97e7e31  c2e5bd66 
Gy^  118  39296a78 

9a3bc004  5c8a5fb4  2c7dlbd9  98f54449  579b4468 
17afbdl7  273e662c  97ee7299  5ef42640  c550b901 
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3fad0761  353c7086  a272c240  88be9476  9fdl6650 


3.  Curves  over  Binary  Fields 

For  each  field  degree  m,  a  pseudo-random  curve  is  given,  along  with  a 
Koblitz  curve.  The  pseudo-random  curve  has  the  form 

E:  y'^  +  xy  ^  +  b, 

and  the  Koblitz  curve  has  the  form 

r-i  2  I  ^1  2  I  1 

ha:  y  xy  ^  X  +  ax  +1 

where  a  =  0  or  1 . 

For  each  pseudorandom  curve,  the  cofactor  is /=  2.  The  cofactor  of  each 
Koblitz  curve  is /=  2  if  «  =  1  and /=  4  if  «  =  0. 

The  coefficients  of  the  pseudo-random  curves,  and  the  coordinates  of  the 
base  points  of  both  kinds  of  curves,  are  given  in  terms  of  both  the  polynomial  and 
normal  basis  representations  discussed  in  1.3. 

For  each  m,  the  following  parameters  are  given; 

Field  Represen  ta  tion: 

•  The  normal  basis  type  T 

•  The  field  polynomial  (a  trinomial  or  pentanomial) 

Koblitz  Curve: 

•  The  coefficient  a 

•  The  base  point  order  r 

•  The  base  point  x  coordinate  G  ^ 

•  The  base  point  y  coordinate  G  ^ 

Pseudo-random  curve: 

•  The  base  point  order  r 
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Pseudo-random  curve  (Polynomial Basis  representation): 


•  The  coefficient  b 

•  The  base  point  x  coordinate  G  x 

•  The  base  point  y  coordinate  G  y 
Pseudo-random  curve  (Normal  Basis  representation): 

•  The  160-bit  input  seed  s  to  the  SHA-1  based  algorithm 

•  The  coefficient  b  (i.e.,  the  output  of  the  SHA-1  based  algorithm) 

•  The  base  point  x  coordinate  G  x 

•  The  base  point  y  coordinate  G  y 

Integers  (such  as  T,  m,  and  r)  are  given  in  decimal  form;  bit  strings  and 
field  elements  are  given  in  hex. 
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Degree  163  Binary  Field 


r=4 

p{t)  ^  f  +  \ 

Curve  K-163 

(3=1 

r  =  5846006549323611672814741753598448348329118574063 
Polynomial  Basis: 

G x=  2  fel3c053  7bbcl lac  aa07d793  de4e6d5e  5c94eee8 

Gy  =  2  89070fb0  5d38ff58  321f2e80  0536d538  ccdaa3d9 

Normal  Basis: 

Gx-  0  5679b353  caa46825  fea2d371  3ba450da  0c2a4541 
Gy^  2  35b7c671  00506899  06bac3d9  dec76a83  5591edb2 

Curve  B-163 

r  =  5846006549323611672814742442876390689256843201587 
Polynomial  Basis: 

b=  2  0a601907  b8c953ca  1481ebl0  51217874  4a3205fd 

Gx-  3  fOebal 62  86a2d57e  a099 1 1 68  d4994637  e8343e36 

Gy^  0  d5 1  fbc6c  7 1  a0094f a2cdd545  b  1 1  c5c0c  797324fl 

Normal  Basis: 

s  =  85e25bfe  5c86226c  dbl2016f  7553f9d0  e693a268 
6  =  6  645ficac  fl638el3  9c6cdl3e  f61734fb  c9e3d9fb 

Gx-  0  311103cl  7167564a ce77ccb0  9c681 188  6ba54ee8 
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3  33acl3c6  447f2e67  613bf700  9daf98c8  7bb50c7f 


Degree  233  Binary  Field 


r=2 

pit)  =  +  \ 

Curve  K-233 

(3  =  0 

r  =3450873173395281893717377931 1385127605709409888622521\ 
26328087024741343 
Polynomial  Basis: 

G,=  172  32ba853a7e731afl 

29f22ff4  149563a4  19c26bf5  0a4c9d6e  efad6126 
Gy^  Idb  537dece8  19b7f70f 

555a67c4  27a8cd9b  fl8aeb9b  56e0cl  10  56fae6a3 

Normal  Basis: 

G,^  Ofd  e76d9dcd 26e643ac 

26flaa90  laa  12978  4b71fc07  22b2d056  14d650b3 
G^=  064  3e31 7633  155c9e04 

47ba8020  a3c43177  450ee036  d6335014  34cac978 
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Curve  B-233 


r  =  69017463467905637874347558622770255558398127373450135\ 
55379383634485463 


Polynomial  Basis: 

b  =  066  647ede6c  332c7f8c 

0923bb58  213b333b  20e9ce42  81fell5f  7d8f90ad 

Ofa  c9dfcbac  83 1 3bb2 1 
39flbb75  5fef65bc  391f8b36  f8f8eb73  71fd558b 
G  v=  100  6a08a419  03350678 

e58528be  bfSaObef  f867a7ca  36716f7e  01f81052 

Normal  Basis: 


s  =  74d59ff0  7f6b413d  0eal4b34  4b20a2db  049b50c3 

b=  Ia0  03e0962d4f9a8e40 

7c904a95  38163adb  82521260  0c7752ad  52233279 

18b  863524b3cdfefb94 
f2784e0b  116faac5  4404bc91  62a363ba  b84al4c5 

Gy^  049  25df77bd  8b8ffl a5 

ff519417  822bfedf  2bbd7526  44292c98  c7af6e02 
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Degree  283  Binary  Field 


r=6 

+  f  + +  \ 

Curve  K-283 


(2  =  0 

r= 388533778445145814183892381364703781328481 17337930613\ 
24295874997529815829704422603873 
Polynomial  Basis: 

G  ^  =  5032 1 3f  78ca4488  3fl a3b8 1  62fl  88e5 

53cd265f  23cl567a  16876913  b0c2ac24  58492836 
Gy  =  lccda38  0flc9e31  8d90f95d  07e5426f 

e87e45c0  e8184698  e4596236  4e341 161  77dd2259 

Normal  Basis: 

G  ,  =  3ab9593  f8db09fc  188fld7c  4ac9fcc3 

e57fcd3b  db  15024b  212c7022  9de5fcd9  2eb0ea60 
Gy^  21 18c47  55e7345c  d8f603ef 93b98bl0 

6fe8854f  feb9a3b3  04634cc8  3a0e759f  0c2686bl 
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Curve  B-283 


r  =  77706755689029 162836778476272940756265696259243769048\ 
891091 9652677004427778737869287 1 
Polynomial  Basis: 

b  =  27b680a  c8b8596d  a5a4af8a  19a0303f 

ca97fd76  45309fa2  a58 1485a  f6263e31  3b79a2f5 
5193925  8db7dd90  e  1 934f8c  70b0dfec 
2eed25b8  557eac9c  80e2el98  fScdbecd  86bl2053 
Gy  =  3676854  fe24141c  b98fe6d4  b20d02b4 

516ff702  350eddb0  826779c8  1310df45  be8112f4 

Normal  Basis: 

s  =  77e2b073  70eb0f83  2a6dd5b6  2dfc88cd  06bb84be 

b  =  157261b  894739fb  5al3503f  55f0b3fl 

0c560116  66331022  01138ccl  80c0206b  dafbc951 
G  ^  =  749468e  464ee468  634b2 1  f7  f6 1  cb700 

701817e6  bc36a236  4cb8906e  940948ea  a463c35d 
G  ^  -  62968bd  3b489ac5  c9b859da  68475c3 1  5bafcdc4 

ccd0dc90  5b70f624  46f49c05  2f49c08c 
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4 


Degree  409  Binary  Field 


p{t)  =  +  1 

Curve  K-409 

(3  =  0 

r  =  33052798439512429947595765401638551991420234148214060\ 
964232439502288071 12892491910506732584577774580140963\ 
66590617731358671 
Polynomial  Basis: 

060105f658f49cl  ad3abl89 
0f7 18421  0efd0987  e307c84c  27accfb8  19f67cc2 
c460189e  b5aaaa62  ee222ebl  b35540cf  e9023746 
G  y  =  le36905  0b7c4e42  acbaldac 

bf04299c  3460782f  918ea427  e6325165  e9eal0e3 
da5f6c42  e9c55215  aa9ca27a  5863ec48  d8e0286b 

Normal  Basis: 

G  ^  =  Ib559c7  cba2422e  3affel33 

43e808b5  5e012d72  6ca0b7e6  a63aeafb  cle3a98e 
lOcaOfcf  98350c3b  7f89a975  4a8eldc0  713cec4a 
Gy^  16d8c42  052fD7e7  713e7490 

effil8ba  labdbfef  8a5433c8  94b24f5c  817aeb79 
852496fb  ee803a47  bc8a2038  78ebflc4  99afd7d6 
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Curve  B-409 


r  =  66105596879024859895191530803277103982840468296428121\ 
9284648798304 1 57774827374805208143723762 17911 09659798\ 
67288366567526771 
Polynomial  Basis: 

6  =  02 1  a5c2  c8ee9feb  5c4b9a75 

3b7b476b  7fd6422e  fll3dd67  4761fa99  d6ac27c8 
a9al97b2  72822f6c  d57a55aa  4f50ae31  7bl3545f 

1 5d4860  d088ddb3  496b0c60 
64756260  441cde4a  fl771d4d  b01ffe5b  34e59703 
dc255a86  8al  18051  5603aeab  60794e54  bb7996a7 
Gy  =  061blcf  ab6be5f3  2bbfa783 

24edl06a  7636b9c5  a7bdl98d  0158aa4f  5488d08f 
38514flf  df4b4f40  d2181b36  81c364ba  0273c706 

Normal  Basis: 

s  =  4099b5a4  57f9d69f  792 1 3d09  4c4bcd4d  42622 1  Ob 

b  -  124d065  Ic3d3772  f7f5alfe 

6e7 15559  e2129bdf  a04d52f7  b6ac7c53  2cfDed06 
f610072d  88ad2fdc  c50c6fde  72843670  f8b3742a 
G  ^  =  Oceacbc  9f475767  d8e69f3b 

5dfab398  13685262  bcacf22b  84c7b6dd  981899e7 
318c96f0  761f77c6  02c016ce  d7c548de  830d708f 
Gy^  1 99d64b  a8fD89c6  db0e0b6 1 

e80bb959  34afd0ca  f2e8be76  dlc5e9af  fc7476df 
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49142691  ad303902  88aa09bc  c59cl573  aa3c009a 
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Degree  571  Binary  Field 


10 

p{t)  +  \ 


(2  =  0 


Curve  K-571 


r  =  1 93226876 1 508629 1 72347675945465993672 1 494636648532 1 74\ 
99328617625725759571 14478021226813397852270671 1834706\ 
71280082535146127367497406661731 192968242161709250355\ 
5733685276673 


Polynomial  Basis: 


G 


>■ 


Normal  Basis: 

Gx  = 


26eb7a8  59923fbc  82189631 
f8103fe4  ac9ca297  0012d5d4  60248048  01841ca4 
43709584  93b205e6  47da304d  b4ceb08c  bbdlba39 
494776fb  988b4717  4dca88c7  e2945283  a01c8972 

349dc80  7f4fbf37  4f4aeade 
3bca9531  4dd58cec  9f307a54  ffc61efc  006d8a2c 
9d4979c0  ac44aea7  4fbebbb9  f772aedc  b620b01a 
7ba7aflb  320430c8  591984f6  01cd4cl4  3eflc7a3 

04bb2db  a418d0db  107adae0 
03427e5d  7ccl39ac  b465e593  4fDbea2a  b2D622b 
c29b3d5b  9aa7alfd  fd5d8be6  6057cl00  8e71e484 
bcd98f22  bf847642  37673674  29ef2ec5  bc3ebcf7 
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44cbb57  de20788d  2c952d7b 
56cf39bd  3e89bl89  84bdl24e  751ceff4  369dd8da 
c6a59e6e  745df44d  8220ce22  aa2c852c  fcbbef49 
ebaa98bd  2483e331  80e04286  feaa2530  SOcaffbO 


Curve  B-571 


3864537523017258344695351 89093 19873442989273297064349\ 
98657235251451519142289560424536143999389415773083133\ 
881121 9269444862468724628 1 68 1 30702345282883033324 1 1 39\ 
3191105285703 
Polynomial  Basis: 

b  =  2f40e7e  222 1 1295  de297 1 1 7 

b7f3d62f  5c6a97ff  cb8ceffl  cd6ba8ce  4a9al8ad 
84ffabbd  8efa5933  2be7ad67  56a66e29  4afdl85a 
78ffl2aa  520e4de7  39baca0c  7ffeff7f  2955727a 
303001d34b85629  6cl6c0d4 
0d3cd775  0a93dld2  955fa80a  a5f40fc8  db7b2abd 
bde53950  f4c0d293  cdd711a3  5b67fbl4  99ae6003 
8614fl39  4abfa3b4  c850d927  ele7769c  8eec2dl9 
G  37bf273  42da639b  6dccfffe 

b73d69d7  8c6c27a6  009cbbca  1980f853  3921e8a6 
84423e43  bab08a57  6291af8f  461bb2a8  b3531d2f 
0485cl9b  16e2fl51  6e23dd3c  la4827af  Ib8acl5b 

Normal  Basis: 

s  =  2aa058f7  3a0e33ab  486b0f61  0410c53a  7fl32310 

b  =  3762d0d  47116006  179da356 

88eeaccf591a5cde  a7500011  8d9608c5  9132d434 
26101ald  16377411  5f586623  17510000  lce61198 
3cl275fa  31f5bc9f  4bela0f4  67101ca8  85c74777 
G =  0735e03  5def5925  cc33 173e 
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b2a8ce77  67522b46  6d278b65  0a291612  7dfea9d2 
d361089f  0a7a0247  al84elc7  0d4 17866  eOfeOfeb 
0ff8f2f3  19176418  197dll7e  624e2015  dfl662a8 


Gy^  04a3642  0572616c  df7e606f 

ccadaecf  c3b76dab  0ebl248d  d03fbdfc  9cd3242c 
4726be57  9855e812  de7ec5c5  00b4576a  24628048 
b6a72d88  0062eed0  dd34bl09  6d3acbb6  b01a4a97 
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APPENDIX  6.1:  IMPLEMENTATION  OF  MODULAR  ARITHMETIC 


The  prime  moduli  in  the  above  examples  are  of  a  special  type  (called 
generalized Mersenne  numbers)  for  which  modular  multiplication  can  be  carried 
out  more  efficiently  than  in  general.  This  appendix  provides  the  rules  for 
implementing  this  faster  arithmetic,  for  each  of  the  prime  moduli  appearing  in  the 
examples. 

The  usual  way  to  multiply  two  integers  (mod  m)  is  to  take  the  integer 
product  and  reduce  it  (mod  m).  One  therefore  has  the  following  problem:  given  an 
integer  A  less  than  m  ,  compute 

B  :=  A  mod  m. 

In  general,  one  must  obtain  B  as  the  remainder  of  an  integer  division.  If  m  is 
a  generalized  Mersenne  number,  however,  then  B  can  be  expressed  as  a  sum  or 
difference  (mod  m)  of  a  small  number  of  terms.  To  compute  this  expression,  one 
can  evaluate  the  integer  sum  or  difference  and  reduce  the  result  modulo  m.  The 
latter  reduction  can  be  accomplished  by  adding  or  subtracting  a  few  copies  of  m. 

The  prime  moduli  p  for  each  of  the  five  example  curves  is  a  generalized 
Mersenne  number. 
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Curve  P-192: 


The  modulus  for  this  curve  is/?  =  2  -  2  -  1.  Every  integer^  less  than 

can  be  written 

A^As-  2^^®  +  A4  •  +  A3  •  2**^^  +  A2  •  2^^^  +  Ai  •  2^  +  Aq, 

where  each  A,  is  a  64-bit  integer.  The  expression  for  B  is 
B  T  +  Si  +  S2  +  Si  mod  p; 
where  the  192-bit  terms  are  given  by 

T^A2  ■  2^^^+Ai  ■  2^^+Ao 
Si=  Ai-2^''  +  Ai 

S2-A4-2^^^  +  A4-2^'^ 

S3=As-2‘^‘  +  As  ■2'^+ As. 
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Curve  P-224: 


The  modulus  for  this  curve  is  /?  =  2  -  2  +  1 .  Every  integer  A  less  than 

can  be  written 

^=^13-2^^V  ^12 -2^*^  ^11  -2^^^  Au)-2^^^+  Ag-l^^^-h  Ag-l^^^-h  Ayl^^U 
A  -  y^s-  2^“+  A4-2^^^-h  A3-2''U  A2-2^U  Ai-2^^-h  Aq, 

where  each^,  is  a  32-bit  integer.  As  a  concatenation  of  32-bit  words,  this  can  be 
denoted  by 

(Ai3  //  A\2  H  ■  ■  ■  II A()  ). 

The  expression  for  B  is 

B  :=  T  +  S I  +  S 2  -  Di  -  Di  iriod  p, 
where  the  224-bit  terms  are  given  by 

T  =  (  A,\\As\\  A4  A3\\  A2\\  A4A4 
Si-(  ^10 11^9  II  ^sII^tII  0  II  0  II  0  ) 

52  =  (  0  \\An\\An\\An\\  0  ||  0  ||  0  ) 

22i-  (An  II  ^12 II  ^11 II  ^10 II  ^9 II  ^8  II  ^7) 

Z)2  =  (  0  II  0  II  0  II  0  11^,3  M,2||  ^11). 
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Curve  P-256: 


The  modulus  for  this  curve  is  /?  =  2^^^  -  +  2^^^  +  2^^  -  1 .  Every  integer  A 

less  than  can  be  written 

^=^15-2^®®+  ^14-2^^^+  Ax-i-2'^^^+  An- 2^^^+  An- 2^^^  + 

An-2^+  A, -2^^^+  As- 2^^^+  Ay2^^U  A,- 2^^^+  As -2^^^  + 

^4-2^^®+  ^•2‘^V  ^2-2^V  An2^^+  Aq, 
where  each  ^ ,  is  a  32-bit  integer.  As  a  concatenation  of  32-bit  words,  this  can  be 
denoted  by 

^  ~  (^15  |Mi4  II  ■  ■  ■  II  ^0  )• 

The  expression  for  B  is 

B  '.—  T  2iSi  +  2S2  +  /S3  +  /S4  -  D\  -  D2  -  D3  -  D4  mod  p, 
where  the  256-bit  terms  are  given  by 


T  ■■ 

“  (  ^7 

^6 

As 

II  ^4 

II  ^3 

II  ^2 

II  A, 

II  Aq  ) 

Sp- 

=  (  ^15  II 

^14 

II  V, 

IM.2 

II 

II 0 

II  0 

II  0  ) 

S2-- 

=  (  0  1 

)  A[4 

II  An  II  An 

II 0 

II  0 

II  0  ) 

S3 

^  (  ^15 

Ai4 

II  0 

II  0 

II  0 

IMi 

10 II  Ac^ 

'  IMs ) 

S4- 

^  (  ^8 

^13 

II  Ais 

1  Ai4 

II  An 

II  ^llll^lO 

II  A9) 

D, 

^  (^10 

^8 

II  0 

II  0 

II  0  II  Au\\A 

12 II  ^11 ) 

D2 

^  (  ^11  II 

A9 

II  0 

II  0 

II  ^15  II  A 

14  II 2I13 II  ^12  ) 

D3 

^  (  ^12  II 

0 

II  Alo 

II  A9 

II  As 

Mi5 

Ai4 

II  ^13) 

D4 

^  (^13  II 

0 

\\Au 

II  Aio 

II  A9 

II  0 

\\Ai5 

II  ^14  )• 
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Curve  P-384: 


The  modulus  for  this  curve  is  /?  =  2  -  2  -  2  +  2  -  1 .  Every  integer  A 

less  than  can  be  written 

A  =^23-  2^^ V  ^22-  2^°V  ^21-  2^^V  A2Q-2^^^+  ^19-  2“®  + 

^i8-2^^V  ^17 -2^^^  ^16-2^'V  ^15-2'^^®+  ^14-2^^^+  ^13-2^^'’+  An 
•2^*V  ^11-2^^^+  ^10-2^^°+  A- 2^^^+  At  2^^^  + 

^6-  2^‘^V  ^5-2^'^°+  A  -  2'^^+  ^3-  2*^^  A2-2^^+  An2^^+  Aq, 
where  each  ^ ,  is  a  32-bit  integer.  As  a  concatenation  of  32-bit  words,  this  can  be 
denoted  by 

A  =  (A23 II A22  II  •  •  •  IMo  )• 

The  expression  for  B  is 

B  '.=  T  2iS'i  +  /S'2  +  /S'3  +  /S4  +  /Ss  +  /S'6  -  D\  -  D2  -  D3  mod  p, 
where  the  384-bit  terms  are  given  by 


T  = 

Aiil 

^10 

^9 

II 

II  ^7  II  ^6 

II  As 

IM4 

11^3  11^2  II  A 

1  Mo) 

(  0  II 

0 

II  0 

II  0 

II 

0 II  .4 

23  11  ^ 

22II A 

21  1 

0  II  0  II 

0  II  0) 

(^23 

^22 

^21 

II  ^20 

IM 

19  II  ^18 

IMi7 

\\A\6 

II  ^isll  ^14  II  A] 

3  ^12) 

(^20  II 

An 

^18 

^17 

IM 

16  II  ^15 

II  ^14 

IMi3 

IM12  1  ^23!  ^22!  ^21) 

(^19  1 

^18 

Mi7 

IM16 

IM 

15  II  ^14 

IMi3 

II  An 

M20II  0||  A 

23  0  ) 

(  0  II 

0 

II  0 

II  0 

II  ^23  II  ^2: 

11  ^21  II  A 

20 

1  oil  oil 

0  ||0) 

(  0  II 

0 

II  0 

II  0 

II 

0  II  0 

11  A23  \\A 

22 

M21II  0  II  0  II  A20) 

A  = 

(^22 

^21 

IM2C 

II  ^19 

M 

18  II  ^17 

IM16 

|Mi5 

II  ^14  II  ^13  M 

12I  ^23) 

D2- 

=  (0  1 

0 

II  0 

II  0 

II 

0  II  0 

II  0 

\\A 

23 

A22  1  ^2  II 

hK 

to 

0 

0 

A  = 

(  oil 

0 

II  0 

II  0 

II 

0  II  0 

II  0 

\\A23  1 

A23  0 II 

0  II  0). 
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Curve  P-521: 

The  modulus  for  this  curve  is  /?  =  2  -  1 .  Every  integer  A  less  than can 

be  written 

A  —  A\-  2^^*  +  Aq, 

The  expression  for  B  is 

B  :^Ao+Ai  mod p 
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APPENDIX  6.2:  NORMAL  BASES 


The  elements  of  GF(2’”)  are  expressed  in  terms  of  the  type  T  normal 
basis  2  B  for  GF(2'”),  for  some  T.  Each  element  has  a  unique  representation 
as  a  bit  string 

(  QQ  a\  .  .  .  ttyyi-X  ) 

The  arithmetic  operations  are  performed  as  follows. 

Addition :  addition  of  two  elements  is  implemented  by  bitwise  addition  modulo  2. 
Thus,  for  example, 

(11001 11) +  (1010010)  =  (01 10101). 

Sauarins'.  if 

a  =  {qq  a\  . . .  Oyn-i ) 

then 

(^z^_  j  a^  j  .  .  .  ) 

Multiplication:  to  perform  multiplication,  one  first  constructs  a  function  F{u,v)  on 
inputs 

u  =  {uq  Ui  .  .  .  u„.x  )  and  y  =  (  Vq  Vi  .  .  .  ) 

as  follows. 

1 .  Set  p  <—  Tm  +  I 

2.  Let  u  be  an  integer  having  order  T  modulo  p 


2  It  is  assumed  in  this  section  that  m  is  odd  and  T  is  even,  since  this  is  the  only  case  considered  in  this  standard. 
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3 .  Compute  the  sequence  F  ( 1 );  F  (2), . . . (p- 1 )  as  follows : 

3.1  Set  w<—  1 

3.2  Fory  from  0  to  F-1  do 

Set «  w 

For  i  from  0  to  m-\  do 
Set  F{n)  <—  i 
Set  n  <—2n  mod  p 
Set  w  <—uw  mod  p 

4.  Output  the  formula 

p-2 

F(u,  v)  :=  ^UF(k+\)VF(p-k). 

k=\ 

This  computation  need  only  be  performed  once  per  basis. 

Given  the  function  F  for  B,  one  computes  the  product 

(  Cq  Cl  .  .  .  Cfii-i  )  (  (Zq  Cl\  .  .  .  )  X  (  bg  b\  .  .  .  bjYi-\  ) 

as  follows. 

1.  Set  (^uqU\  . .  .  Ufft-i )  ^ {  gq  Cl  I  . . .  ) 

2.  Set  (  Vo  vi  .  .  .  v„.i)  ^{bobi  .  .  .  b,rt-\  ) 

3.  For  k  from  0  to  w  -  1  do 

3.1  Compute 

Ck  :=  Fiik  v) 

3.2  Set  u  <—  LeftShift  (m)  and  v  LeftShift  (v),  where  LeftShift 
denotes  the  circular  left  shift  operation. 

4.  Output  c  :=  (  Co  Cl  . . .  c^-i  ) 
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EXAMPLE.  For  the  type  4  normal  basis  for  GF{2’),  one  has /?  =  29  and 
M  =  12  or  17.  Thus  the  values  of  F  are  given  by 


F(1)  =  0 

F(8)  =  3 

F(15)  =  6 

F(22)  =  5 

F(2)=l 

F(9)  =  3 

F(16)  =  4 

F(23)  =  6 

F(3)  =  5 

F(10)  =  2 

F(17)  =  0 

F(24)=  1 

F(4)  =  2 

F(ll)  =  4 

II 

F(25)  =  2 

F(5)=l 

F(12)  =  0 

F(19)  =  2 

F(26)  =  5 

F(6)  =  6 

F(13)  =  4 

F(20)  =  3 

F(27)=  1 

F(7)  =  5 

F(14)  =  6 

F(21)  =  3 

F(28)  =  0 

Therefore 

F  (W  y)  =  Vi  +  Ml  (Vo  +  +  V5  +  V6  )  +  (Vi  +  y?  +  V4  +  Vs  ) 

+  M3  (V2  +  Vs  )  +  (V2  +  V6  )  +  Ms  (Vl  +  +  y?  +  V6  ) 

+  M6  (Vi  +  V4  +  Vs  +  V6  ). 

Thus,  if 

M  =  (1  0  1  0  1  1  1)  and  />  =  (1  1  0  0  0  0  1), 

then 

Co  =  F((l  0  1  0  1  1  1),(1  1  00  00  1))  =  1, 

Ci=F((0  1  0  1  1  1  1),(1  0  00  0  1  1))  =  0, 

C6  =  F((1  1  0  1  0  1  1);(1  1  1  00  00))  =  1, 

so  that  c  =  mZ)  =  (1  0  1  10  0  1). 


57 


APPENDIX  6.3:  SCALAR  MULTIPLICATION  ON  KOBLITZ  CURVES 


This  appendix  describes  a  particularly  efficient  method  of  computing  the 
scalar  multiple  nP  on  the  Koblitz  curve  £„  over  GF(2'”). 

The  operation  t  is  defined  by 

r(x,y)^(x\y^) 

When  the  normal  basis  representation  is  used,  then  the  operation  t  is 
implemented  by  performing  right  circular  shifts  on  the  bit  strings  representing  x  and 

T- 

Given  m  and  a,  define  the  following  parameters: 

•  C  is  some  integer  greater  than  5. 

•  For  /  =  0  and  z  =  1 ,  define  the  sequence  Si{m)  by 

5/(0)  =0,  5/(1)  =  1-4 

5/(m)  =  p  •  5/(m  -  1)  -  2  5/(w  -  2)  +  (-1)' 

•  Define  the  sequence  V{m) 

n0)  =  2,  V(1)=M 

V(m)  =  /U  •  v(m  -1)  -  2V{m  -  2). 
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For  the  example  curves,  the  quantities  S/(w)  and  F(m)  are  as  follows. 
Curve  K- 163: 


5o(163)  =  2579386439110731650419537 
5i(163)  =  -755360064476226375461594 
F(163)  =  -4845466632539410776804317 

Curve  K-233: 

so(233)  =  -27859711741434429761757834964435883 
.si(233)  =  -44192136247082304936052160908934886 
F(233)  =  -137381546011 108235394987299651366779 

Curve  K-283: 

5o(283)  = -665981532109049041 108795536001591469280025 
.si(283)=  1155860054909136775192281072591609913945968 
F(283)  =  7777244870872830999287791970962823977569917 

Curve  K-409: 

^o(409)  =  -1830751045600238213781031719875646137859054248755686\ 
9338419259 

5i(409)  =  -8893048526 1 3  8304097 1 9665324 1 8442 1 2679626566 1 00996606\ 
444816790 

F(409)=1045728873731562592744768538704832073763879695768757\ 

5791173829 


Curve  K-571: 


59 


5o(571)  =  -37373194468764636924293858924761 1556714729396459613\ 

1 024 1 2340642023  524191 672998326 1305 
5i(57  1 )  =  -3 1 9 1 8577064464 1 60995838 1 4595948959674 1 3 1 9689 1 2 1 48564\ 
65861056511758982848515832612248752 
F(571)=-148380926981691413899619140297051490364542574180493\ 
93623291233953420851682897311 1459843 


The  following  algorithm  computes  the  scalar  multiple  nP  on  the  Koblitz 
curve  Ea  over  GF(2'”).  The  average  number  of  elliptic  additions  and  subtractions  is 
at  most  ~  1  +  (w/3),  and  is  at  most  ~  w/3  with  probability  at  least  1  -  2^'*^. 

For  z  =  0  to  1  do 

n  ^  I  n  /2  '  J 

g'<r-  Siim)  •  n' 
h'^  \_g'l2"\ 
j' <r-  V{m)  •  h' 

r^Round((g'+70/2^'”^^^^^) 
fi  <-  Round(9l,>) 

hi  <—  0 

77  ^  2  77o  +  llTii 
If77>l 

then 
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if  rio- 3  iirii  <-l 

then  set  Ai  ^ 
else  set  ho  <—  1 

else 

if77o  +4/1  7]i>2 

then  set  /zi  <—  /t 

If  77  <-l 
then 

if  7]o  -  3  /7  7]i  >  1 

then  set  /?!  < —  fi 
else  set  ho  < — 1 
else 

if  770  +  4  /7  771  <  -2 

then  set  /21  < —  // 

qi  <— /i  +  /zi 

ro  <-  77  -  (^0  +  M  *^1)  ^0  -  25i  qx 


rx  <^Sxqo-  Sq  qx 
Set  0  ^  O 
Po^P 

While  To  #  0  or  ri  #  0 
If  ro  odd  then 

set  M  <—  2  -  (ro  -  2  ri  mod  4) 
set  To  <—  To  -  M 
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if  M  =  1  then  set  g  ^  +  Po 
if  M  =  -1  then  set  g  ^  -  Po 
Set  P 0  i —  tP 0 

Set  (ro  ,  ri)  ^  (rj  +  jt/ro  fl,  -  /2) 

Endwhile 
Output  Q 
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APPENDIX  6.4:  GENERATION  OF 
PSEUDO-RANDOM  CURVES  (PRIME  CASE) 

Let  /  be  the  bit  length  of  p,  and  define 

V  =L(/  -  l)/160j 

w  =  /  -  1 60v  -  I 

1.  Choose  an  arbitrary  160-bit  string  5'. 

2.  Compute SHA-^j”). 

3.  Let  Hq  be  the  bit  string  obtained  by  taking  the  w  rightmost  bits  of  h. 

4.  Let  z  be  the  integer  whose  binary  expansion  is  given  by  the  160-bit  string  s. 

5.  For  i  from  1  to  v  do: 

5.1  Define  the  160-bit  string  5,  to  be  binary  expansion  of  the  integer 

(z  +  i)  mod  (2  ). 

5.2  Compute /z,  :=SHA- 1(5,). 

6.  Let  h  be  the  bit  string  obtained  by  the  concatenation  oi ho ,  h\, .  .  . ,  K  as  follows: 

h  =  ho  II  /?i  II ...  II  hv 

7.  Let  c  be  the  integer  whose  binary  expansion  is  given  by  the  bit  string  h. 

8.  If  c  =  0  or  4c  +  27  =  0  (mod p),  then  go  to  Step  1 . 

9.  Choose  integers  a,b  e  GF(p)  such  that 

c  =  a^  (mod  p). 

(The  simplest  choice  is  c  =  c  and  b  =  c.  However,  one  may  want  to  choose 
differently  for  performance  reasons.) 

10.  Check  that  the  elliptic  curve  E  over  GF{p)  given  by  y  ^  +  ax  +  6  has 

suitable  order.  If  not,  go  to  Step  1 . 
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APPENDIX  6.5:  VERIFICATION  OF  CURVE 
PSEUDO-RANDOMNESS  (PRIME  CASE) 

Given  the  160-bit  seed  value  s,  one  can  verify  that  the  coefficient  b  was 
obtained  from  6-  via  the  cryptographic  hash  function  SHA-1  as  follows. 

Let  /  be  the  bit  length  of  p,  and  define 

V  =L(/  -  l)/160j 

w  =  l  -  \  60v  -  1 

1.  Compute  h  :=  SHA-1  (j-). 

2.  Let  Hq  be  the  bit  string  obtained  by  taking  the  w  rightmost  bits  of  h. 

3.  Let  z  be  the  integer  whose  binary  expansion  is  given  by  the  160-bit  string  5. 

4.  For  i  from  1  to  v  do 

4. 1  Define  the  160-bit  string  5,  to  be  binary  expansion  of  the  integer 
(z  +  i)  mod  ). 

4.2  Compute /i,  :=SHA- 1(5,). 

5.  Let  h  be  the  bit  string  obtained  by  the  concatenation  oi ho ,  h\, .  .  . ,  hy  diS  follows: 

h  =  hQ  II  /ii  II ...  II  hy. 

6.  Let  c  be  the  integer  whose  binary  expansion  is  given  by  the  bit  string  h. 

7.  Verify  that  c  = -21  (mod  p). 
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APPENDIX  6.6:  GENERATION  OF 
PSEUDO-RANDOM  CURVES  (BINARY  CASE) 


Let: 

V  ^V{m  -  \)  IB\ 
w^m-  Bv 

1.  Choose  an  arbitrary  160-bit  string  5'. 

2.  Compute  h  :=  SHA-^j”) 

3.  Let  Hq  be  the  bit  string  obtained  by  taking  the  w  rightmost  bits  of  h. 

4.  Let  z  be  the  integer  whose  binary  expansion  is  given  by  the  160-bit  string  s. 

5.  For  i  from  1  to  v  do: 

5.1  Define  the  160-bit  string  5,  to  be  binary  expansion  of  the  integer 
(z  +  i)  mod  ). 

5.2  Compute /z,  :=SH A- 1(5,). 

6.  Let  h  be  the  bit  string  obtained  by  the  concatenation  oi ho ,  h\, .  .  . ,  K  as  follows: 

h  =  ho  II  /?i  II ...  II  Av 

7.  Let  b  be  the  element  of  GF{2'")  which  binary  expansion  is  given  by  the  bit  string 

h. 

8.  Choose  an  element  a  of  GF(2'”). 

9.  Check  that  the  elliptic  curve  E  over  GF(2'”)  given  hy  +  xy  ^ 

+  ax  +  b  has  suitable  order.  If  not,  go  to  Step  1 . 
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APPENDIX  6.7:  VERIFICATION  OF  CURVE 
PSEUDO-RANDOMNESS  (BINARY  CASE) 

Given  the  160-bit  seed  value  s,  one  can  verify  that  the  coefficient  b  was 
obtained  from  6-  via  the  cryptographic  hash  function  SHA-1  as  follows. 

Define 

V  =  L  (w  -  1)  /160j 

m -  1 60v 

1.  Compute  h  :=  SHA-1  (s) 

2.  Let  Hq  be  the  bit  string  obtained  by  taking  the  >v  rightmost  bits  of  h. 

3.  Let  z  be  the  integer  whose  binary  expansion  is  given  by  the  160-bit  string 

s. 

4.  For  i  from  1  to  v  do 

4. 1  Define  the  160-bit  string  5i  to  be  binary  expansion  of  the  integer  (z 
+  0mod  (2^'’°) 

4.2  Compute  hi  :=SHA-1(5, ). 

5.  Let  h  be  the  bit  string  obtained  by  the  concatenation  of  Ao ,  /ii, .  .  . ,  Av  as 
follows: 

h  =  ho  II  II  ...  II  hy. 

6.  Let  c  be  the  element  of  GF(2'" )  which  is  represented  by  the  bit  string  h. 

7.  Verify  that  c  =  6. 
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APPENDIX  6.8:  POLYNOMIAL  BASIS  TO  NORMAL  BASIS  CONVERSION 


Suppose  that  a  an  element  of  the  field  GF(2'”).  Denote  by  p  the  bit  string 
representing  a  with  respect  to  a  given  polynomial  basis.  It  is  desired  to  compute  n, 
the  bit  string  representing  a  with  respect  to  a  given  normal  basis.  This  is  done  via 
the  matrix  computation 

p  r  =  n 

Where  L  is  an  m-by-w  matrix  with  entries  in  GF{2).  The  matrix  T,  which  depends 
only  on  the  bases,  can  be  computed  easily  given  its  second-to-last  row.  The 
second-to-last  row  for  each  conversion  is  given  in  the  table  below. 

Decree  163: 

3  el73bfaf  3a86434d  883a2918  a489ddbd  69fe84el 


De2ree  233: 


Obe  19b89595  28bbc490 
038f4bc4  da8bdfcl  ca36bb05  853fd0ed  0ae200ce 


Decree  283: 

3347fl7  521fdabc  62ecl551  acfl56fb 
0bceb855  fl74d4cl  7807511c  9f745382  add53bc3 


De2ree  409: 


0eb00f2  ea95fd6c  64024e7f 
0b68b81f  5ff8a467  acc2b4c3  b9372843  6265c7ff 
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a06d896c  ae3a7e31  e295ec30  3eb9f769  de78bef5 


De2ree  571: 


7940ffa  ef996513  4d59dcbf 
e5bf239b  e4fe4b41  05959c5d  4d942ffd  46ea35D 
e3cdbOel  04a2aa01  cei30a3 a  49478011  196blb43 
c55091b6  1174d7c0  8d0cdd61  3bf6748a  bad972a4 


Given  the  second-to-last  row  r  of  F,  the  rest  of  the  matrix  is  computed  as 
follows.  Let  (5  be  the  element  of  GF(2'")  whose  representation  with  respect  to  the 
normal  basis  is  r.  Then  the  rows  of  F,  from  top  to  bottom,  are  the  bit  strings 
representing  the  elements 

with  respect  to  the  normal  basis.  (Note  that  the  element  1  is  represented  by  the  all- 1 
bit  string.) 

Alternatively,  the  matrix  is  the  inverse  of  the  matrix  described  in  Appendix 

6.9. 

More  details  of  these  computations  can  be  found  in  Annex  A. 7  of  the  IEEE 
PI 363  standard. 
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APPENDIX  6.9:  NORMAL  BASIS  TO  POLYNOMIAL  BASIS  CONVERSION 


Suppose  that  a  an  element  of  the  field  GF(2'”).  Denote  by  n  the  bit  string 
representing  a  with  respect  to  a  given  normal  basis.  It  is  desired  to  compute  p,  the 
bit  string  representing  a  with  respect  to  a  given  polynomial  basis.  This  is  done  via 
the  matrix  computation 

n  r  =  p 

where  T  is  an  m-hy-m  matrix  with  entries  in  GF(2).  The  matrix  T,  which  depends 
only  on  the  bases,  can  be  computed  easily  given  its  top  row.  The  top  row  for  each 
conversion  is  given  in  the  table  below. 

Desree  163: 

7  15 169c  10  9c612e39  0d347c74  8342bcd3  b02a0bef 


De2ree  233: 


149  9e398ac5  d79e3685 

59b35ca4  9bb7305d  a6c0390b  cf9e2300  253203c9 


Decree  283: 


De2ree  409: 


31e0ed7  91c3282d  c5624a72  0818049d 
053e8c7a  b8663792  bcld792e  ba9867fc  7b317a99 

0dfa06b  e206aa97  b7a41fff 
b9b0c55f  8f048062  fbe8381b  4248adf9  2912ccc8 
e3f91a24  elcfb395  05326988  971c2304  2e85708d 
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De2ree  571: 


452186b  bf5840a0  bcf8c9fD 


2a54efa0  4e813b43  c3d41496  06c4d27b  487bfl07 
393c8907  f79d9778  beb35ee8  7467d328  8274caeb 
da6ce05a  eb4ca5cf  3c3044bd  4372232f  2cla27c4 

Given  the  top  row  r  of  F,  the  rest  of  the  matrix  is  computed  as  follows.  Let  P 
be  the  element  of  GF(2  whose  representation  with  respect  to  the  polynomial 
basis  is  r.  Then  the  rows  of  F,  from  top  to  bottom,  are  the  bit  strings  representing 
the  elements 

with  respect  to  the  polynomial  basis. 

Alternatively,  the  matrix  is  the  inverse  of  the  matrix  described  in  Appendix 

6.8. 

More  details  of  these  computations  can  be  found  in  Annex  A. 7  of  the  IEEE 
PI 363  standard. 
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FIPS  186-2,  DIGITAL  SIGNATURE  STANDARD 
CHANGE  NOTICE  1 


U.S.  DEPARTMENT  OF  COMMERCE 

NATIONAL  INSTITUTE  OF  STANDARDS  AND  TECHNOLOGY 
Gaithersburg,  MD  20899 

DATE  OF  CHANGE:  2001  October  5 

Federal  Information  Processing  Standard  (FIPS)  186-2,  Digital  Signature  Standard,  specifies  the 
Digital  Signature  Algorithm  (DSA)  that  may  be  used  in  the  generation  and  verification  of  digital 
signatures  for  sensitive,  unclassified  applications.  FIPS  1 86-2  also  allows  the  use  of  the  digital 
signature  techniques  specified  in  American  National  Standards  Institute  (ANSI)  X9.31  (Digital 
Signatures  Using  Reversible  Public  Key  Cryptography  for  the  Financial  Services  Industry 
(rDSA))  and  ANSI  X9.62  (Public  Key  Cryptography  for  the  Financial  Services  Industry:  The 
Elliptic  Curve  Digital  Signature  Algorithm  (ECDSA)).  The  standard  also  specifies  a  transition 
period  for  the  use  of  existing  (legacy)  digital  signature  systems.  Reversible  public  key 
algorithms,  such  as  the  RSA  or  Rabin-Williams  algorithms,  are  often  used  in  these  legacy 
systems. 

FIPS  186-2  is  used  in  conjunction  with  the  hash  function  specified  in  FIPS  180-1,  Secure  Hash 
Standard  (SHS),  and  includes  specifications  for  the  size  of  the  prime  modulus  p,  and  algorithms 
for  the  generation  of  a  user’s  private  key,  x,  and  a  user’s  per  message  secret  number,  k. 

This  change  notice  provides  changes  for  the  continued  use  of  DSA  as  specified  in  FIPS  186-2 
about  the  size  of  the  prime  modulus  p,  modifications  for  the  random  number  generation 
techniques  specified  in  Appendix  3  of  FIPS  186-2,  and  provides  instructions  for  the  use  of  these 
techniques  when  used  in  contexts  other  than  the  generation  of  DSA  keys.  This  change  notice  also 
provides  guidance  for  the  use  of  the  reversible  public  key  algorithms  within  legacy  systems. 

Questions  regarding  this  change  notice  may  be  directed  to  FIPS  1 86@, nist.gov  or  to  Elaine  Barker 
( ebarker@nist. gov.  301-975-2911). 


The  Size  of  the  Prime  Modulus 

Section  4  of  FIPS  186-2  specifies  that  the  prime  modulus  p  of  DSA  is  defined  for  the  range  of 
prime  integers  2^’’  <p  <2^  ,  where  5 12  <  L  <  1024  and  L  is  a  multiple  of  64.  This  change  notice 
specifies  that  L  should  assume  only  the  value  1024  for  DSA  as  specified  in  FIPS  186-2,  i.e.,  the 
prime  modulus p  should  be  defined  in  the  range  2'°^^  <p<  2’'*^'*. 

The  RSA  and  Rabin-Williams  algorithms  used  within  legacy  systems  are  defined  with  a  modulus 
n  and  prime  factors  p  and  q  of  n.  This  change  notice  specifies  that  n  should  be  at  least  1024  bits 
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in  length,  and  p  and  q  should  be  approximately  half  the  size  of  n  in  bits. 


Random  Number  Generation 

FIPS  186-2  includes  algorithms  for  the  generation  of  a  user’s  private  key,  x,  and  a  user’s  per 
message  secret  number,  k.  These  values  must  be  generated  randomly  or  pseudorandomly  and 
must  have  values  between  0  and  the  160-bit  prime  q  (as  specified  in  the  standard).  Techniques 
for  generating  x  and  k  are  provided  in  Appendix  3  of  the  standard. 

Recently,  an  unpublished  attack  on  DSA3  was  found  that  relies  on  the  non-uniformity  of  the 
pseudorandom  number  generators  (PRNGs)  specified  in  Appendix  3  of  the  standard.  The  attack 
has  a  workfactor  of  2^  and  requires  2^^  known  signatures.  This  attack  can  be  defended  against  by 
either  limiting  the  number  of  signatures  created  using  a  specific  key  pair  to  no  more  than  2 
million  signatures  while  using  the  PRNGs  specified  in  FIPS  1 86-2,  or  by  modifying  the  PRNGs. 

If  the  PRNGs  currently  defined  in  FIPS  186-2  are  used,  the  user  should  be  provided  with  clear 
guidance  about  the  limitation  to  the  number  of  signatures  that  should  be  created. 

Alternatively,  the  following  modifications  of  the  PRNGs  may  be  used  in  lieu  of  those  PRNGs 
specified  in  FIPS  186-2.  These  modifications  reduce  the  non-uniformity  of  the  PRNGs  and  do 
not  affect  interoperability. 

The  two  algorithms  described  below  use  a  one-way  function  G(t,c),  where  t  is  160  bits,  c  is  h  bits 
and  G(f,c)  is  160  bits.  Two  methods  for  constructing  G  are  defined  in  FIPS  186-2:  using  SHA-1 
as  defined  in  FIPS  180-1,  and  using  the  Data  Encryption  Standard  (DES)  as  defined  in  FIPS  46- 
3.  If  G  is  constructed  using  SHA-1,  b  is  between  160  and  512  bits  (160  <  h  <  512);  if  G  is 
constructed  using  DES,  b  is  equal  to  160  bits. 

1.  Revised  Algorithm  for  Computing  m  values  of  x  (Appendix  3.1  of  FIPS  186-2) 

Let  X  be  the  signer's  private  key.  The  following  may  be  used  to  generate  m  values  of  x: 

Step  1.  Choose  a  new,  secret  value  for  the  seed-key,  XKEY. 

Step  2.  In  hexadecimal  notation  let 

t  =  67452301  EFCDAB89  98BADCFE  10325476  C3D2E1F0. 

This  is  the  initial  value  for  T/q  ||  //|  ||  7/2  ||  //s  ||  /Tj  in  the  SHS  [FIPS  180-1]. 


3  The  attack  was  discovered  by  Dr.  Daniel  Bliechenbacher  of  Lucent  Technologies,  Bell  Labs,  Murray  Hill,  NJ.  See 
a  February  25,  2001  press  article  at  http://www.lucent.eom/press/0201/010205.bla.html. 
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Step  3.  For 7  =  0  to  m  -  1  do 

3 . 1  XSEED  j  =  optional  user  input 

3.2  For  /■  =  0  to  1  do 

2i.WAL  ={XKEY +)SEEDi)  modi  2^ 

h.Wi  =  G(t,WAL  ). 

c.  XKEY  =  (1  +  XKEY  +  w,)  mod  2^ 

3.3  Xj  =  (wo  II  w\)  mod  q 

2.  Revised  Algorithm  for  Precomputing  one  or  More  k  and  r  Values  (Appendix  3.2 
of  FIPS  186-21 

This  algorithm  can  be  used  to  precompute  k,  k'\  and  r  for  m  messages  at  a  time.  Note  that 
implementation  of  the  DSA  with  precomputation  may  be  covered  by  U.S.  and  foreign  patents. 

Step  1.  Choose  a  seeret  initial  value  for  the  seed-key,  KKEY. 

Step  2.  In  hexadeeimal  notation  let 

t  =  EFCDAB89  98BADCFE  10325476  C3D2E1F0  67452301. 

This  is  a  cyclic  shift  of  the  initial  value  for  //q  ||  ||  Hi  ||  ||  7/4  in  the  SHS. 

Step  3.  For 7  =  0  to  m  -  1  do 

3.1  For  /  =  0  to  1  do 

a.  Wi  =  Git,  KKEY) 

b.  KKEY  =  (1  +  KKEY  +  w,)  mod  t 

3.2  k=  iwQ\\w\)  mod  q 

3.3  Compute  A:/'  =  k'^  mod  q 

3.4  Compute  ry  =  mod 7>)  mod  ^ 
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Step  4.  Suppose  Mo , ... ,  Mn,.]  are  the  next  m  messages.  For  /  =  0  to  m  -  1  do 


a.  LetA  =  SHA-l(M/). 

b.  Let  5/ =  (A:/’ (A  +  XT;))  mod  ^ 


c.  The  signature  for  M/  is  (r/,  Sj). 

Step  5.  Let  t  =  h 
Step  6.  Go  to  step  3. 

Step  3  permits  pre-computation  of  the  quantities  needed  to  sign  the  next  m  messages.  Step  4  can 
begin  whenever  the  first  of  these  m  messages  is  ready.  The  execution  of  step  4  can  be  suspended 
whenever  the  next  of  the  m  messages  is  not  ready.  As  soon  as  steps  4  and  5  have  completed,  step 
3  can  be  executed,  and  the  results  saved  until  the  first  member  of  the  next  group  of  m  messages  is 
ready. 

In  addition  to  space  for  KKEY,  two  arrays  of  length  m  are  needed  to  store  ro , ...  r„,.]  and  ko  \  ... ,  km-{ 
’  when  they  are  computed  in  step  3.  Storage  for  , ... ,  s^.]  is  only  needed  if  the  signatures  for  a 
group  of  messages  are  stored;  otherwise  sj  in  step  4  can  be  replaced  by  s,  and  a  single  space 
allocated. 


General  Purpose  Random  Number  Generation 

Several  of  the  FIPS  require  the  use  of  an  Approved  (i.e.,  FIPS-approved  or  NIST  recommended) 
random  number  generator  (RNG).  The  RNG  specified  as  algorithm  1  above  or  the  algorithm 
specified  in  Appendix  3.1  of  FIPS  186-2  may  be  used  in  addition  to  any  other  Approved  RNG. 
However,  when  the  RNG  is  used  for  the  generation  of  random  numbers  other  than  for  DSA  keys, 
the  “mod  term  should  be  omitted.  This  will  result  in  the  following  changes  to  the 
specification: 

FIPS  186-2,  Appendix  3.1,  Step  3  c: 

Change  “x/  =  G(t,  XKAL  )  mod  q”  to  “x/  =  G(t,  WAL  )”. 

Algorithm  1  of  this  change  notice.  Step  3,  substep  3.2: 

Change  “x/  =  (wo  ||  w\)  mod  to  “x;  =  (wq  ||  wi)”. 
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